DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ca: Risks remain in wake of mortgage broker breaches, audit shows

Posted on June 8, 2010 by Dissent

Several mortgage brokerages improved some privacy and security measures following a string of major data breaches, but failed to implement controls to raise the alarm about any future suspicious activity, a privacy audit has found.

The audit by the Office of the Privacy Commissioner of Canada (OPC) was launched after the brokerages reported 14 data breaches in the space of a few months in mid-2008.  In each case, someone impersonating an experienced mortgage agent downloaded credit reports for people who hadn’t even applied for a mortgage. As a result, the personal information of thousands of people across Canada was compromised.

“The breaches prompted the brokerages to take some positive steps to better protect personal information.  However, our audit found that those changes did not go far enough,” says Privacy Commissioner Jennifer Stoddart.

“As a result, the personal information of clients – not to mention any number of other people with absolutely no connection to the brokerages – was left at risk.”

The audit also raised concerns about data security, haphazard storage of documents containing personal information; inadequate consent by clients; and a general lack of understanding about, and accountability for, privacy issues.

The audit is described in the Commissioner’s 2009 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA), which was tabled in Parliament today.

The annual report also highlights the issue of cross-border data flows and the challenge of enforcing privacy rules in a world where these global data flows have become multipoint and multidirectional.  It summarizes a number of 2009 privacy complaint investigations, noting that a growing number of the OPC’s investigations are exploring how privacy laws apply in the virtual world.

As the report’s summary of the latest OPC private-sector audit describes, mortgage brokers represent a large and growing segment of the mortgage industry in Canada – accounting for one-quarter of all mortgage transactions.  They need to obtain credit reports from credit reporting agencies in order to assess an individual’s eligibility for a mortgage.   Credit reports contain extensive personal information that can be used by criminals to commit identity fraud.

Following the breaches, the five audited brokerages significantly tightened their practices for hiring agents.   However, the audit found there was a lack of adequate controls to restrict agents’ access to credit reports.  Specifically, the web-based tool used to obtain credit reports doesn’t allow brokers to limit the number of credit reports an agent can download.  In addition, there are no technological controls to monitor for, and raise the alarm about, suspicious activity.

Among the other risks to personal information highlighted in the audit:

  • Some brokers stacked files containing personal information on the floor or on desks within accessible offices.  One had overflow storage in an unsecured parking arcade.
  • Brokers lacked shredders capable of securely destroying documents.  One broker was re-using the reverse side of old, filled-out mortgage applications in order to print out new applications.
  • Credit reports were sometimes obtained prior to consent from a client being recorded and there was no ability for clients to opt out of secondary uses of their personal information, such as marketing.
  • There was a lack of training about privacy responsibilities and many agents did not know to whom they should turn with a privacy-related question.  In one case, a broker franchisee stated that his organization’s chief privacy officer was located at the brokerages head office when, in fact, he was the chief privacy officer.

One of the five audited brokerages is no longer in the mortgage broker business.  The four others still operating stated they would implement all of the recommendations in the OPC’s audit report.

“In the wake of our audit, we have ongoing concerns about the controls and safeguards in the way in which credit reports are obtained.  We are following up with the company that provides this tool to mortgage brokers, with industry associations and with Canada’s credit reporting agencies to discuss best practices for the exchange of personal information,” says Assistant Commissioner Elizabeth Denham.

“We are also continuing to work with mortgage broker associations to develop guidance documents that will help them meet their obligations under Canadian privacy law.”

The annual report and the mortgage brokerage privacy audit report are available at www.priv.gc.ca.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

To view the reports:

  • Annual Report to Parliament 2009 – Report on the Personal Information Protection and Electronic Documents Act
  • Audit of Selected Mortgage Brokers

Source:  Office of the Privacy Commissioner of Canada

Related posts:

  • Canadian Privacy Commissioner troubled by poor computer disposal practices and lack of controls for wireless devices in government
  • Office of the People’s Counsel USA (OPC-DC.gov) Subdomains Hacked and Defaced by Brothers Team
  • Investigation into Desjardins’ compliance with PIPEDA following a breach of personal information between 2017 and 2019
  • Two California Residents Sentenced To Prison For Computer Theft From LendingTree; Former Employee Sold Unauthorized Access
Category: Breach IncidentsCommentaries and AnalysesFinancial SectorNon-U.S.

Post navigation

← TN: Sensitive Medical Paperwork Dumped In Church Lot
Penn State warns of more cyber-breaches →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.