The Hackers’ Dirty Little Secret

Key Bank recently notified all of its current and recent mortgage loan customers that the customers’ personal data had been stolen. The stolen information included names, mortgage property addresses, mortgage account numbers and information, home insurance policy numbers and information, phone numbers, and the first eight digits of Social Security numbers. That’s pretty serious. Any number of on-line hosts would accept that information from a computer thief and allow the thief to spoof you. Using this information, the hackers can open up credit card accounts, take out on-line loans, and open charge accounts at on-line vendors, all in your name and without your knowledge.

But here’s the thing: it wasn’t Key Bank that was hacked.

Key Bank, to make more money, had contracted part of its mortgage business to a third party. Part of having a mortgage is keeping property insurance on your property, which is Key Bank’s collateral. For example, if your house burns down, Key Bank wants to be certain it gets first shot at the insurance proceeds. But it would take staffing and a bit of effort to monitor those insurance coverages, and rather than spend the effort itself, Key Bank hires someone else to do it. Because, profits.

In Key Bank’s case, they hired a company you’ve never heard of, Overby-Seawell Co., to perform that oversight process. Of course, for Overby-Seawell to perform that task it needed a lot of information about you and your mortgage, and Key Bank passed it along to Overby-Seawell.

Key Bank is a large, multi-national business, with adequate resources to make certain its on-line data is as secure as reasonably possible. It would be pretty hard for hackers to crack into Key Bank.

By contrast, Overby-Seawell employs about 28 people and generates approximately $8 million in annual revenue. Its resources to secure its on-line systems are vastly inferior to Key Bank’s. In fact, Overby-Seawell was hacked on May 26, 2022 and did not discover the unauthorized access until July 5, 2022. For forty days, the hackers had access to large amounts of Key Bank customers’ highly sensitive personal information.

It gets worse. Overby-Seawell provides similar services for an array of major banks and smaller financial institutions. The full details don’t seem to be public yet, but victims also include customers of Pennsylvania-based Fulton Bank, where more than 100,000 customers were affected. Key Bank has not yet disclosed the number of its customers whose data may have been stolen, but we can assume that as a larger institution its volume of mortgage loans is that much higher.

It’s not just Overly-Seawell, either. Texas-based Community Loan Servicing, which provides services similar to Overby-Seawell to smaller southwest financial institutions was also hacked.

In fact, the Overby-Seawell hack was just the latest of at least 51 third party hacks, when the thieves targeted smaller businesses offering services to larger companies, thereby gaining access to less well protected information. Perhaps the latest of the third party hacks was reported in May, when St. Luke’s Health Care Systems reported that its billing services vendor, Kaye-Smith, had been hacked and at least 300,000 St. Luke’s patients had their medical billing information hacked.

And that’s the hackers’ dirty little secret. They don’t have to hack the well-protected major businesses. They can target the smaller, less well-protected servicing companies who have most of the information the hackers are after.

Let’s be very clear about this. In each of these cases, in order to make more money, the big company has handed their customers’ highly sensitive information, without the customers’ knowledge, to third parties whose computer security systems are inadequate to the risk of hacking. In most states, the larger company won’t escape liability by blaming their third party contractors (although they will certainly try to do so). But having the right to a lawsuit is a thin blanket on a cold night. Lawsuits are better than nothing, but no substitute for not having a problem at all.

It’s not going to be an easy problem to fix. A federal law, holding those who entrust private information to third parties liable to anything that happens from that entrustment, would be a good start. Any real solution would require a rebuild of the internet, which is unlikely to happen.