For many years, the mortgage industry has focused on developing new underwriting models, faster loan decisions, and a better digital experience for borrowers. But behind that shiny experience is an increasing risk that most borrowers will never know about: the network of third-party systems that quietly work with their most sensitive data. The recent data breach at Towne Mortgage Company, where an unauthorized party may have copied data from their internal network, is yet another reminder that borrower privacy is at risk not only from lenders but from an entire network of connected platforms that run modern mortgage operations.

What makes situations like the Towne Mortgage incident especially concerning is how embedded third-party products have become throughout the loan lifecycle. Escrow platforms, appraisal systems, document-verification tools, income-verification APIs, and automated underwriting systems transfer borrower data back and forth in real time. A single mortgage application could go through anywhere from 7-15 systems before a loan closes. Every system, every connection, and every vendor increases the attack surface.

A number of these suppliers exist within the shadows, out of view for borrowers and hardly noted in disclosure statements. But they may hold complete names along with Social Security numbers, tax documents, bank statements, employment and credit history. Lenders are regulated through compliance terms, however, many third-party platforms haven't been regulated under common set of umbrella tools for cybersecurity governance and oversight, but rather they are often bound only by contractual obligation.

Malicious actors certainly know this. Rather than compromise a bank or a big lender front-end, they increasingly find ways to get in through behind-the-scenes smaller portals they do a lot of business with. Smaller portals have less protection, older infrastructure, or not-as-amplified activity-monitoring in place for detecting intrusions. The marauder only needs to get in to access or copy the data belonging to potentially thousands of borrowers across multiple lenders from one vendor. The provide service to multiple lenders. An account compromise by one entity does not penetrate the lender's system.

This is not just a risk or an abstract risk. The mortgage technology community has experienced a huge influx of ransomware attacks and credential stuffing attempts, as well as long-dwelling intruders engaged in quiet observation of the systems that are extracting data. Additionally, compromised borrower data is selling for significantly higher prices than it would for run-of-the-mill consumer PII. The value of complex information is what malicious actors often seek because it can lead to identity theft, tax fraud, and loan fraud. 

The underlying problem is fragmentation. Mortgage companies, to maintain a competitive position and be compliant, are using dozens of third-party tools to assist them — but many consumers are unaware that applying for a mortgage means their entire financial life is flowing through an ecosystem of vendors they didn't select. Until the industry calls for centralized cybersecurity standards for every company (vendor) in that ecosystem, breaches such as the Towne Mortgage breach will simply be a reminder of the industry's collective systemic vulnerability.  

Borrowers expect mortgage companies to protect their data with the same diligence lenders demonstrate in managing financial risk. But unless the third-party ecosystem becomes part of the security conversation and mitigation plans, the mortgage industry will continue to be at risk — and borrowers will be left holding the proverbial bag after an attack they never anticipated.