DHI Mortgage notifies loan applicants of server breach (Update 4)
A reader sends along an e-mail he received DHI Mortgage in Texas:
We have reason to believe that the integrity of your personal information may have been compromised due to a security breach of the DHI Mortgage Loan Prequalification Website. On the evening of Friday, February 10, 2012, DHI Mortgage became aware that a software security breach by unknown external sources occurred in its Internet Loan Prequalification System. Upon identifying the security breach, DHI Mortgage has taken immediate steps to remedy the breach by isolating the affected server, purging certain affected files and modifying our electronic security measures to address this specific issue. Only the data you provided during your online prequalification process with DHI Mortgage could have been compromised. At the time of prequalification, information you provided may have included, but is not limited to: name, date of birth, contact information, marital status, social security number, employment and financial information (including income, asset and liability information).
DHI Mortgage has already contacted law enforcement and implemented revised online security measures as we continue to investigate the matter. As a precautionary measure, we are sending you this notice so that you can take steps to prevent or limit identity theft or any other harm that could result from the potential misuse of your information. It is important for you totake the steps described in this letter.
We recommend that you contact any one of the three major credit bureaus and place a “fraud alert” on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your credit file. Each of the credit bureaus will send you a credit report free of charge, for your review. For your convenience, we are providing you with the toll-free telephone numbers
and website addresses of the three major credit bureaus:
P.O. Box 105873 P.O. Box 2002
P.O. Box 1000
Atlanta, GA 30348 Allen, TX 75013-2002
Chester, PA 19022
You may also contact the credit bureaus listed above or the Federal Trade Commission (“FTC”) for information about security freezes. Please see below for the FTC’s contact information.
Even if you do not find any suspicious activity on your initial credit reports, the FTC recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, you should:
(a) Call your local Law Enforcement office and file a police report. Get a copy of the police report. This is important because many creditors want the information contained in the police report before determining that you are not responsible for the fraudulent debts; and
(b) File a complaint with the FTC at www.ftc.gov/idtheft or at 1-877-ID-THEFT (438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. Additional contact information for the FTC is as follows:
Federal Trade Commission
600 Pennsylvania Avenue NW
Washington, DC 20580
By utilizing the following link: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.pdfyou will be
directed to an online copy of “Taking Charge: What To Do If Your Identity Is Stolen,” a comprehensive guide from the FTC to help you guard against and deal with identity theft. You may also request from us a hard copy of this comprehensive guide by calling the number provided below.
Residents of North Carolina may also contact the North Carolina Attorney General’s Office for additional information about preventing identity theft. The contact information for this office is as follows:
Attorney General’s Office
9001 Mail Service Center
Raleigh, NC 27699-9001
Telephone: 1-877-5-NO-SCAM or (919) 716-6000
Residents of Maryland may also contact the Maryland Attorney General’s Office for additional information about preventing identity theft. The contact information for this office is as follows:
Office of the Attorney General
200 St. Paul Place
Baltimore, MD 21202
1 (888) 743-0023 or (410) 576-6300
If you have any questions regarding this matter, please contact one of our Compliance Specialists toll free at 1-866-883-5556.
The reader reports that when he called DHI’s “Compliance Specialists,” all he got was a recording asking him to leave a message.
There is no notice on DHI’s web site at the time of this posting. (See comments and updates)
Update 1 (2-16-12): DHI Mortgage now has a brief notice up on their web site. I note that the number they provide to call if you have any questions is different than the number that was in their e-mail. Their web site notice says, “If you have any questions, or are concerned that you may have been affected, please call 800-241-8971. ”
Update 2 (2-17-12) Mainstream media is starting to catch up with the story. See Bloomberg Businessweek, The Denver Channel, and the self-promoting but unhelpful press release from parent company D.R. Horton.
Update 3 (2-18-12) A commenter alerts us that DHI has changed its notice to indicate that they will offer free credit monitoring services. They’ve also added yet another phone number to call:
DHI Mortgage is notifying those customers whose personal information may have been affected by various means, including email and letters. If you received such an email or letter, we encourage you to follow the instructions in the notice. If you have any questions, please call 800-241-8971, 800-655-3539 or 866-883-5556.
DHI Mortgage will be offering additional credit monitoring and other services at no charge to consumers who may have been potentially impacted. Details and instructions regarding this offer are expected to be made available on the DHI Mortgage website starting the week of February 20, 2012.
Update 4 (2-23-12) Commenter Pablo notes that the info for signing up for credit monitoring is now available.
Joh - February 15, 2012
I also received this email. It is a dirty shame that these company’s are not held accountable for things like this. In order to do business you are required by them to provide personal information. If they were held accountable for not securing their data with a large fine then maybe they would try harder to secure the data. They should not ask for personal information if they are not going to secure it fully.