In the financial ecosystem, mortgage lenders find themselves operating from a unique perspective. While many types of businesses only produce limited transaction information, mortgage lenders accumulate large amounts of information about their customers, including personal data, financial data, and identifying data through the mortgage application process. The documents required for the mortgage application process can include documentation of income, tax returns, bank statements, and government identification. Because so much information is needed to complete a mortgage application, few transactions than require these disclose levels of personal information.

This unique status held by lenders has been thrust into the Limelight since the release of the HMA Mortgage – Data Breach. In May 2025, HMA released a press release stating that there had been unauthorized access of HMA’s systems after the company had conducted an investigation. Regulatory filings revealed that an unauthorized third party was able to gain access to the HMA system between April 25, 2025, and May 15, 2025. HMA conducted a forensic review of the system and determined that certain files stored may have been accessed. As a result, HMA is notifying affected individuals and has filed a report with the Massachusetts Attorney General’s Office in February 2026.

The mortgage lending industry is an attractive target for criminals to take advantage of because they have numerous identifiers that have a long shelf-life. Social Security numbers, tax identification numbers, digital signatures, date of birth, banking numbers, as well as other documents, such as insurance or health-related documents, are usually included in a typical mortgage loan file. Most of the identifiers a criminal looks to capture do not go away like credit card data can be canceled and replaced.

The process of mortgage lending is also complex. Documents flow through many stages of the underwriting process; loan officers, processors, underwriters, compliance teams, and at times to third-party service providers. The use of digital uploads, e-signature platforms, and cloud storage have improved efficiencies but also increased the amount of potential points of access. Each link in this chain of connections increases the importance of monitoring and implementing effective security controls.

Another element that increases overall risk is the retention of records. Mortgage lenders are required by laws and regulations to maintain these records for extended periods for the purposes of compliance and audit. Records may be kept archived indefinitely after a mortgage loan has closed or has been sold to another financial institution. As a result, these repositories of information grow to be highly desirable targets over time if they do fail to be continually updated with modern security measures.

Mortgage data is considered very valuable by cybercriminals for more than just immediate financial gain. An experienced cybercriminal will utilize detailed mortgage applications to develop an accurate identity profile to commit additional identity fraud such as fraudulent tax returns, opening bank accounts, or committing targeted phishing schemes, etc. Because mortgage applications are complete and verified as they go through the underwriting process, the information is usually accurate, thus providing additional assistance in committing identity theft.

The timeline associated with this case demonstrates a larger pattern we see within the entire industry. Often, the initial entry point for unauthorized access occurs weeks or even months before it is detected. While most companies react quickly to identified instances of suspicious activity, they often do not recognize or detect the initial entry point until after several days or weeks have passed. This shows the importance of continually monitoring your system(s), rather than just relying on perimeter security.

As the mortgage lending industry continues to evolve through digitization, the intersection of cybersecurity with financial risk management makes protecting personal financial information an important part of maintaining a relationship of trust in the banking community. To obtain a home mortgage, a borrower must disclose very personal financial information to complete the mortgage application and be able to secure financing for a home, which is a requirement under federal regulations and is essential to maintain a good relationship with your clients.

Lender-related incidents demonstrate how the housing finance industry is closely connected to data security. Mortgage lenders straddle the line between finance, identity, and long-term record keeping today as personal data has become so valuable. Therefore, both lenders and the consumers who use them need to remain vigilant.