A reader sends along an e-mail he received DHI Mortgage in Texas:
We have reason to believe that the integrity of your personal information may have been compromised due to a security breach of the DHI Mortgage Loan Prequalification Website. On the evening of Friday, February 10, 2012, DHI Mortgage became aware that a software security breach by unknown external sources occurred in its Internet Loan Prequalification System. Upon identifying the security breach, DHI Mortgage has taken immediate steps to remedy the breach by isolating the affected server, purging certain affected files and modifying our electronic security measures to address this specific issue. Only the data you provided during your online prequalification process with DHI Mortgage could have been compromised. At the time of prequalification, information you provided may have included, but is not limited to: name, date of birth, contact information, marital status, social security number, employment and financial information (including income, asset and liability information).
DHI Mortgage has already contacted law enforcement and implemented revised online security measures as we continue to investigate the matter. As a precautionary measure, we are sending you this notice so that you can take steps to prevent or limit identity theft or any other harm that could result from the potential misuse of your information. It is important for you totake the steps described in this letter.
We recommend that you contact any one of the three major credit bureaus and place a “fraud alert” on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your credit file. Each of the credit bureaus will send you a credit report free of charge, for your review. For your convenience, we are providing you with the toll-free telephone numbers
and website addresses of the three major credit bureaus:Equifax Experian
TransUnionCorp
P.O. Box 105873 P.O. Box 2002
P.O. Box 1000
Atlanta, GA 30348 Allen, TX 75013-2002
Chester, PA 19022
800-525-6285 888-397-3742
800-680-7289
www.equifax.com www.experian.com
www.transunion.comYou may also contact the credit bureaus listed above or the Federal Trade Commission (“FTC”) for information about security freezes. Please see below for the FTC’s contact information.
Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, you should:
(a) Call your local Law Enforcement office and file a police report. Get a copy of the police report. This is important because many creditors want the information contained in the police report before determining that you are not responsible for the fraudulent debts; and
(b) File a complaint with the FTC at www.ftc.gov/idtheft or at 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. Additional contact information for the FTC is as follows:
Federal Trade Commission
600 Pennsylvania Avenue NW
Washington, DC 20580
http://www.ftc.govBy utilizing the following link: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.pdfyou will be
directed to an online copy of “Taking Charge: What To Do If Your Identity Is Stolen,” a comprehensive guide from the FTC to help you guard against and deal with identity theft. You may also request from us a hard copy of this comprehensive guide by calling the number provided below.Residents of North Carolina may also contact the North Carolina Attorney General’s Office for additional information about preventing identity theft. The contact information for this office is as follows:
Attorney General’s Office
9001 Mail Service Center
Raleigh, NC 27699-9001
Telephone: 1-877-5-NO-SCAM or (919) 716-6000
http://www.ncdoj.gov/Residents of Maryland may also contact the Maryland Attorney General’s Office for additional information about preventing identity theft. The contact information for this office is as follows:
Office of the Attorney General
200 St. Paul Place
Baltimore, MD 21202
1 (888) 743-0023 or (410) 576-6300
http://www.oag.state.md.us/index.htmIf you have any questions regarding this matter, please contact one of our Compliance Specialists toll free at 1-866-883-5556.
Sincerely,
DHI Mortgage
The reader reports that when he called DHI’s “Compliance Specialists,” all he got was a recording asking him to leave a message.
There is no notice on DHI’s web site at the time of this posting. (See comments and updates)
Update 1 (2-16-12): DHI Mortgage now has a brief notice up on their web site. I note that the number they provide to call if you have any questions is different than the number that was in their e-mail. Their web site notice says, “If you have any questions, or are concerned that you may have been affected, please call 800-241-8971. ”
Update 2 (2-17-12) Mainstream media is starting to catch up with the story. See Bloomberg Businessweek, The Denver Channel, and the self-promoting but unhelpful press release from parent company D.R. Horton.
Update 3 (2-18-12) A commenter alerts us that DHI has changed its notice to indicate that they will offer free credit monitoring services. They’ve also added yet another phone number to call:
DHI Mortgage is notifying those customers whose personal information may have been affected by various means, including email and letters. If you received such an email or letter, we encourage you to follow the instructions in the notice. If you have any questions, please call 800-241-8971, 800-655-3539 or 866-883-5556.
DHI Mortgage will be offering additional credit monitoring and other services at no charge to consumers who may have been potentially impacted. Details and instructions regarding this offer are expected to be made available on the DHI Mortgage website starting the week of February 20, 2012.
Update 4 (2-23-12) Commenter Pablo notes that the info for signing up for credit monitoring is now available.
I also received this email. It is a dirty shame that these company’s are not held accountable for things like this. In order to do business you are required by them to provide personal information. If they were held accountable for not securing their data with a large fine then maybe they would try harder to secure the data. They should not ask for personal information if they are not going to secure it fully.
I agree and plan to contact my attorney as they want me to pay to hav someone review my credit report. It was their systems that they cannot maintain security, but I pay the price, don’t think so.
My son who lives in Illinois also received the identical email. The only problem, he has never applied for a loan with DHI Mortgage and he has not lived at the address stated on the letter in over 10 years. However, our daughter recently purchased a house in Texas with D R Horton and financed her house through DHI Mortgage. As of yet, she has not received the security breach letter from DHI Mortgage. I have left several voicemails with the gentleman who collected all her personal information to explain to us what is going on. Unfortunatly, I have not received a response response from him yet.
I also received this notice via e-mail, called their Compliance Specialist and all
I got was a recorded message asking to leave my name/phone number. I’m still waiting
for a call back, no matter how personal data was compromised DHI is/was responsible
for protecting this data and there will be consequences.
My wife and I received the same email. We bought a DR Horton home through DHI Mortgage in September of 2011 in Texas. They will be getting daily calls until we are compensated for long term credit protection coverage. There is entirely too much information on pre-qualification forms for it to be breached.
We got the same e-mail is there not a class action lawsuit that can be issued against them for something like this. I find it ridiculous that for a pre-qualification site, once they approved us and allowed another company like Bank of America to buy the mortgage that they didnt purge those files after 6 months. Why are they keeping my personal data when I am not even one of their customers now?
I received the same email. Bought a house through DHI in Feb of 2011. It was a terrible process and it was a god send when the sold my loan off to another bank. But now this? DHI needs to take responsibility for their poor security and hire a 3rd party company to handle the call volume. I can only hope the provide credit monitoring for the next 5 years at least.
My wife and I also received this letter. We purchased a house in Aug 2011. We too will be expecting long term credit protection.
I have received the same email a couple of hours ago. I don’t even have a mortgage or any loan with DHI Mortgage, but I have only completed there prequalification application last year. Is it legal for them to keep my info after al this time, especially that I am not their customer? Is there any legal action that I can take against them?
I received the same email from DHI and it’s infuriating that there’s not 1 word of apology from them or any offer to compensate for the extended credit monitoring. I just spent (wasted) 30 minutes with a rep from Equifax whose sole intention was to make a sale. Seriously, I couldn’t understand half the things he was saying until the very end when I realized the whole monolog was a sales pitch. DHI should be held accountable for this breach of security, should they not?
In 2006 prequalified with DHI Mortgage to build a house by DR Horton. Subsequently, decided to not build. Just received same notice from DHI regarding security breach. It is hard to believe they are still holding this information for that long and not keeping it secure. Yes, they should be legally libel for all damages and penalized for not protecting this information.
I think DHI should get sued for allowing a hack of confidential information. Anyone an attorney? I cannot see how they should not compensate us for, at a minimum, full credit reporting monitoring and if our identity is stolen… a whole lot more!
I received the same email. I agree with most of the commenters here that there’s no word of apology or any offer to compensate for the extended credit monitoring. what can we do about it ?
they now have it on their site too
http://dhimortgage.com/promotions/information-about-the-recent-security-breach/
My wife and I recieved the same letter last night. I was in contact within minutes to TransUnion to put a fraud alert on my credit. I then contacted DHI and had to leave a message. I just got off the phone with the rep and was told that they are not willing to compensate those of us affected with credit monitoring and that they have done their job by informing us. WTF!!! I see a large class action suit in the very near future with many years of credit monitoring. My mortgage isn’t even through DHI why would they store infromation like that for several years. Just an FYI, when speaking with TransUnion, there is a way to put a credit freeze on your credit. It will cost around $10.00 depending on the state you live in and a pin and password is required to authorize credit companies to give you a line of credit. What about compensation for the trouble we are all going to have to go through now when applying for credit?!
More than likely the reason they still hold our records is due to regulations for document retention. The only way a company can be held accountable is if they are not meeting certain guidelines for privacy protection. The problem is that most companies are 2-3 steps behind in protection what hackers can breach. Before you think I’m backing DHI, I’m not. I too received the email for a 2006 mortgage which was sold off to B of A within the first month.
To my knowledge, there is no federal or state regulation that requires them to retain old data on a server that is connected to the Internet.
Also, you all might find this statement in their privacy policy of interest:
If you speak to them, ask them why the data are at risk if they were encrypted. Were the data, in fact, stored in strong encryption? Did the hacker get the decryption key? What’s going on here?
I too, had a mortgage with them in 2006. They should be more clear on whether all loan applications are stored in that server or only those within xx years. Typically old data would be archived into a different database in normal IT operations.
My information was lost as well. I am very interested to learn what level of encryption was used and where the decryption key was stored. If you read the message they mention that they are” isolating the affected server, purging certain affected files”. This leads me to believe malicious code was introduced which retrieved the data.
While I agree with previous posts that they should be held accountable for this, in order to have a successful lawsuit you must first prove damages. Costs relating to freezing / unfreezing credit would be a start but I am more curious if anyone has had their identity stolen from this breach.
I too got this letter from a 2006 mortgage (SC). I plan to call and request long term credit protection. If not, I will threaten with a lawsuit. Working in IT, this is unacceptable. We should file a class action lawsuit as this appears to have impacted many people.
looks like DHI mortgage decided to offer additional credit monitoring and other services at no cost. that is a good start.
http://dhimortgage.com/promotions/information-about-the-recent-security-breach/
From their site:
DHI Mortgage will be offering additional credit monitoring and other services at no charge to consumers who may have been potentially impacted. Details and instructions regarding this offer are expected to be made available on the DHI Mortgage website starting the week of February 20, 2012.
Doesn’t look like they learned too much in configuring secure: https://www.ssllabs.com/ssldb/analyze.html?d=secure.dhimortgage.com
I did get this e-mail and wanted some more info about my credit report being compromised. and this was there reply
As stated in the letter that you received via email, we have reason to believe that the integrity of personal information that may have been on our DHI Mortgage Prequalification Website could have been compromised. While we cannot be certain who’s information could have been compromised we felt it important to reach all that we had contact information for to alert them of the possibility
An update from the DHI website:
DHI Mortgage is also offering additional credit monitoring and other services at no charge to consumers who may have been potentially impacted. In order to activate this product, you may call 888-829-6549 or follow the instructions in the follow-up notice being sent by mail and/or email during the week of February 27, 2012.
I just called the 888 # and set up the additional credit monitoring. They are offering to monitor your credit on a daily basis and alert you on any activities (via email or snail mail). This service will be provided free for 1 year.
Is this for offer good for anyone>
This notice is on their website (last time I checked) so I’d assume that it applies to anyone affected by the breach. But there’s only 1 way to be sure – call their 888#.
With todays technology it is inexcusable for a security breach of this type. I have received the initial email alert, but have not received any follow-up email offering credit monitoring for one year. At minimum they should be offering seven years of monitorig including banking information. It is a requirement of Sarbanes-Oxley that personal information be kept secure. Obviously DHIMortgage has failed this requirement. Maybe their IT Department is like their home construction – they cut corners to save a few $$.
Class action lawsuit anyone.. I’ll be happy to join..
DHI just can’t let go of everything about me and my family and send an email notifying me about it. Now whoever hacked in, can do anything with my ssn, bank account, license and whatever else i sent them..
Really? you wont get a dime. They are doing what needs to be done to safe guard eveybodys info. They didnt give any info away. It was hacked. It has happened to the Pentagon, IRS, Facebook. Microsoft etc. If its a quick buck you are looking for, try developing a software that will prevent hackers. I promise you, you will MAKE MILLIONS.