The current process of mortgage applications has been described as a “train wreck of an opportunity” for an identity thief.
Speaking to IT Security Guru, Egress CEO Tony Pepper said that when you’re applying for a mortgage, you’re expected to submit large quantities of highly sensitive personal information to your lender, such as copies of your passport, pay checks and bank statements.
“However, in the overwhelming majority of cases, lenders do not provide you with a secure mechanism for doing this – in fact, there is almost a resistance within the industry to accept information via any other channel than plaintext email,” he said.
“There’s a perception that secure communication can slow down or impede business processes. While this might be true of more outdated mechanisms, greater consideration needs to be paid to data protection.
“Given how many people apply for mortgages each year, hundreds of thousands of documents are inevitably being transmitted in plaintext. The opportunity for a breach due to human error – information sent to the wrong email address, for example – or intentional attack – via unauthorised access within an organisation if inboxes are shared or emails forwarded without consent – is huge.”
Asked if mortgage lenders be following industry best practice on secure communication, Pepper said that they “absolutely” should, as they need to be compliant with the Data Protection Act when submitting documents.
He said: “Data breaches not only have the potential to cause untold harm for the individuals involved, but can also seriously damage a business’ reputation and lead to fines of up to £500,000 from the ICO. In fact, we recently undertook an FOI request to the ICO that showed breaches for lenders had increased by 200 per cent in 2014 when compared to the same period in 2013.
“As publicity of breaches increases, the mortgage industry will have no choice other than to improve information security measures when it comes to submission of documents, as well as for other electronic communications. Inevitably, not only will this protect the firm from enforcement action by the ICO, it will also improve the confidence that their clients have in them.”
A spokesperson for the Information Commissioner’s Office, said: “Under the Data Protection Act, it is the organisations responsibility to make sure they have adequate security in place to keep the personal information they are processing secure.
“The organisation must be taking steps to make sure the information isn’t disclosed, this includes making sure there’s an adequate checking system in place to make sure documents aren’t sent to the wrong address.
“If they are dealing with sensitive information, such as information about an individual’s health, then the measures they have in place should reflect the sensitivity of the information being handled. This may include sending information via recorded delivery rather than through the standard mail.
“The organisation or company concerned should be able to explain the measures they have in place to keep people’s details safe.”
Asked if there is a better or even a national standard method of transmitting documents securely Pepper said: “Currently there isn’t a national standard for submitting documents – and that’s really the crux of the problem. This is an issue that not only mor
tgage lenders face but also legal firms, insurers, public bodies and Government departments, and health providers, amongst others.
“These organisations’ activities rely on receiving vast amounts of sensitive information from citizens and clients, as well as the wider supply chain, but without understanding of how to do this securely, they’re inevitably putting this data at risk.”
The Council of Mortgage Lenders declined the opportunity to comment. TSB said in a tweet that “security is our primary concern. Customers can choose to come into branch & submit their documents face to face”.
Financial advice website Love Money said in a tweet that the “mortgage process getting more technological, only matter of time before more secure online method developed”.