On October 28, Fannie Mae notified the New Hampshire Attorney General’s Office of a security incident involving personal information of over one thousand individuals.
In their letter, they explain that in mid-October, they became aware that an employee may have been attempting to sell handwritten copies of the financial information of approximately 1,100 people. The information included, but was not limited to, their names, addresses, dates of birth, Social Security numbers, and credit scores.
Unfortunately, Fannie Mae is not sure when the problematic behavior began, noting that it could be anytime after August 2008.
But where did the personal information come from? What is somewhat puzzling about the incident is that the data involved may not have come from a Fannie Mae database. As they explain, their databases do not typically include some of the types of information found in the employee’s possession such as driver’s license numbers and financial account information.
To complicate matters even more, some of the individuals whose information was in the possession of the employee had no relationship with Fannie Mae at all, but they are also being notified of the breach. All those being notified are being offered free credit monitoring.
So as best as Fannie Mae can determine to date, there was no electronic breach of their system and the compromised data may not have even been data they held on individuals.
The letter by Evan Stolove, Fannie Mae’s Vice President and Deputy General Counsel, does not mention whether there is any possibility that the employee might have been misusing someone’s credentials to access Experian or some other credit reporting agency database. It might be helpful to know.
Update: Well, it took more than two years, but this indictment relates to the breach described above.