Countrywide warning: Ex-employee (may have) sold customer, mortgage data

Countrywide warning: Ex-employee (may have) sold customer, mortgage data

Summary: Countrywide Mortgage has started notifying customers that a rogue employee (since dismissed) may have sold sensitive personal information to an unidentified third party.The company mailed "urgent security notification" letters to customers this week, warning that the customer information involved included names, addresses, social security numbers, mortgage loan numbers and "various other loan and application information.


Countrywide warns about rogue employee selling personal dataCountrywide Mortgage has started notifying customers that a rogue employee (since dismissed) may have sold sensitive personal information to an unidentified third party.

The company mailed "urgent security notification" letters to customers this week, warning that the customer information involved included names, addresses, social security numbers, mortgage loan numbers and "various other loan and application information.

Here's a portion of the letter I received the morning (I'm a Countrywide customer):

countrywide letter on internal sale of customer data

(Click image for larger version)

The company said it will take "necessary precautions" to monitor the mortgage accounts of affected customers and promised to issue notifications "if we detect any suspicious or unauthorized activity related to this incident."

[ SEE: LendingTree insiders leak customer data ]

The Countrywide notification letter comes more than a month after the FBI arrested two men -- on a former Countrywide employee -- on charges related to a scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants.

The insider was identified as Rene L. Rebollo Jr., 36, who had worked as a senior financial analyst at Full Spectrum Lending, Countrywide's subprime lending division. He was arrested at his home in Pasadena and charged with unauthorized access to a financial institution's computers.

In an affidavit filed in federal court, the FBI said Rebollo had voluntarily described the scheme. Rebollo said he would charge $400 or $500 for batches of thousands of "leads" -- personal and account information that presumably would help outside loan agents solicit new mortgages from the Countrywide applicants, some of whom had been denied loans by the Calabasas company.

Authorities said they didn't know whether any of the information had been used for outright fraud, such as identity theft.

Rebollo would copy information on about 20,000 customers at a time on Sunday nights by using a Full Spectrum computer that did not have the same security features that other machines in the office had, according to the affidavit by FBI Special Agent Richard P. Ryan.

At that rate, the U.S. attorney's office said, Rebollo would have compromised up to 2 million customer profiles for about 2.5 cents each -- an astonishingly small amount considering the importance of the material. Mortgage leads are among the most expensive for sale because of the potential payoffs to intermediaries when loans are made.

Earlier this year, LendingTree had a similar internal problem with the sale of customer data to third parties.

Topics: Government US, Banking, Enterprise Software, Government

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • now what

    I got the same letter. Took advantage of their
    monitoring offer but that doesn't make me feel any
    safer. What security precautions have you taken since
    receiving this letter?

    Are their any class action law suits related to this?
    • Class Action

      Lets start obne right away.
      • Gets my vote. Sign me up now

        Any attorny want to address the feasability of this? count me in.

        I just received my letter from Countrywide. Over a month after they KNEW information had been stolen.

        Thus far my wife and I have spent HOURS trying to follow the protocol that we were advised of. With no success so far. Lots of busy phone lines, and cryptic autoattendant prompts.

        My interpretation of the Countrywide's repsonse:

        Oops, we screwed up. So Sad, Too Bad, You're Had! Don't expect us to take any REAL action to protect YOUR identity. If YOUR credit gets screwed up, its your own D>>N fault you didn't spend hour upon hour trying to fix it. Just keep those mortgage payment checks commin'
  • Time to lobby congress to stop this stuff

    Am I the only person who feels that the IT industry, smart folks like us, should be lobbying Congress to make data protection and privacy part of the high priorities for next year? No one is held responsible, from what I see, at the executive levels of companies for maintaining data privacy and security. So they fire the CIO, or some underling. It seems it should be a mandate, and let the market figure out the best technologies to protect us from unauthorized access. And that means long prison sentences for folks like these.
    • Yup

      I agree 100% (see my other post). These companies just don't give a shit because the government doesn't give a shit. Let's hope a Senator's account was compromised and he gets his credit report affected :)
  • RE: Countrywide warning: Ex-employee (may have) sold customer, mortgage data

    Good information. Just found this article because I got the letter too. I can't believe that they are only offering 2 years of the credit monitoring. Whoever has this personal information can essentially use it many years down the line to steal our identity and ruin our credit.

    I am in the IT industry and I find it alarming that this information is available to financial analysts. Social Security #'s should be encrypted across all user databases and should be abbreviated whenever displayed.

    -A. Narain
  • fight back with alerts, locks, freezes

    You can request the major credit reporting bureaus to put a temporary 90-day fraud alert on your credit file or a longer-term lock/freeze. With a fraud alert (which I have done since I received the Countrywide notification, too), lenders and other vendors accessing your credit file will see a notice that you may have been a victim of identify theft and will be more careful checking any applicant. Yeah, I know, it sucks that it takes special action to make the vendors "careful" with your data. If you use these methods to restrict access to your credit file, you, yourself, will have problems getting new lines of credit, too. Some credit bureaus allow you to initiate a fraud alert via their website, but all require a written letter to remove the alert/unlock the file. I think the credit bureaus deliberately make it difficult to unlock your file just to discourage you from locking it in the first place. After all, the bureaus make money selling your data to lenders. After a friend in financial services warned me about prevalence of identify theft years ago, I have subscribed to triple-bureau credit monitoring with email/text message alerts sent when there is any activity on any account.

    Also, some banks (such as Bank of America) will text message a special temporary code to your cell phone and require that special code for you to access your bank account via the website.
    • Execution of willful offenders

      There's no doubt about guilt in cases like this. This was a willful deliberate act, done with malice forethought.

      The more scumbags die over things like this, the fewer problems we'll have.

      And yes, I'm particularly venomous toward people that betray trust like this. There's no excuse for it and it could cause a major catastrophe for innocents.
  • RE: Countrywide warning: Ex-employee (may have) sold customer, mortgage data

    Something must be done. Everyday!!! something like this occurs. Companies get no flack or legal issues done against them. Hence, they won't try to prevent it in the future.

    A few days ago I got this same letter, but from BNY Mellon about my 401K. Apparently they lost a tape backup of data from one of their trucks. Such BS, I tried to contact ACLU but their website sucks and is hard to navigate. If you want info about it so you can make a post, let me know!
  • No expectation of privacy in anything

    All the technology precautions cannot stop the human animal from corrupt behavior. It will continue to happen as it has for thousands of years. I am neither surprised nor horrified as a Countrywide customer. My info is out there in charge cards, medical records, etc., and will be breached again I am sure.
  • Corporate terrorism and incompetence

    Corporate terrorism (the sort that kills 10-20,000 Americans each year by convincing them not to use their health insurance through cohersion and obstruction) and incompetence (such as Countrywide's) is a far worse threat than Osama. The lethargy in Washington that protects these criminals is treasonous. The criminals are obviously terrorists and traitors. Not only should Rebollo be hung for this crime, the executives who "supervised" him should get long jail terms.
  • RE: Countrywide warning: Ex-employee (may have) sold customer, mortgage data

    First of all, the ex-employee and others who bought the information should be prosecuted to the maximum the law allows. Second, companies like Countrywide should held accountable for any and all costs related to all of the individuals whose confidential data was compromised.

    The message that could be sent to these companies should be:
    Do this and your company is shut down and out of business, due to your careless security.
    • This is all find and dandy...

      But; Fact is that there really are no substantive laws in place for this sort of thing. And the ones that do exist, have absolutely minimal "teeth" to them. This is all about keeping the teeth to a minimum as "Information is King", and there are many that want to get into this playing field.

      Congress will not enact any laws to stop this right now because it's not politically feasible. There are too many in Washington that soon will be out of the political realm, and back into the private sector and they want to be able to make a living at something. Since "Information is King" is the thing to do these days, don't push any laws into place to make it hard to get into that.
  • Its just to easy to query the db !

    spool the data and dump into excel.

    you could export a few gigs of data rows in a few minutes.

    i guess all this could be stopped if every data cd rom, dvd player, flash drive, and printer were actually monitored.

    they should implement a policy or setup a special box, where only on THAT computer, anything larger than lets say 100 Megs, can be copied etc.

    However... its the DBA's that could never be controlled unless they were monitored 24/7 in the workplace.
    • Actually

      There are methods to see if a DBA (or anyone else) is accessing sensitive data.

      I worked at an alarm monitoring company and found there wre over 500 Access databases on various desktops and servers that had Social Security numbers, credit card numbers, billing address, bank account numbers, etc.

      I brought this up to upper management many times but no one had any concern.

      When upper managemnt has to serve time for lack of concern then things will change. Maybe...
      High Plains
  • The problem is the companies that buy this data too

    we need to pass a law in this country that states.

    all data purchases of names, phone numberts, ssn's, must be a certified transaction by the government, or a governing body. And if not complied with, YES... even the purchasers of such data can face heavy fines and jail time too. this will curtail the problem a little bit in the US perhaps.
  • Some Preemptive Things To Do

    I haven't received the letter but since we're Countrywide customers, I'm sure we will.

    1. Call your credit card companies and do a "lost or stolen" card option. Get a new CC with new number.

    2. Call your bank(s) and get new account numbers for your accounts. I had to do this once when I lost my checkbook and it was not difficult.

    There's not much you can do if someone has your social but you can let the "big three" know (Transunion et al) and have a fraud alert put on your account. Someone already mentioned this here. Follow-up the call with written letters to them but taking it a bit further, if you plan to apply for credit or a mortgage, let the credit reporting companies know ahead of time to avoid getting a "fraud alert" on a legitimate application.

    The bad thing about something like this is that there is nothing we could have done to avoid it. Most of us protect our private information on-line better than these companies do.

    They should NOT be allowed to legitimately sell our personal information AT ALL!

    I'm smelling "class action suit" here...and I will be one of the first to join.
  • "Sell" the ex-employee's info in retailiation

    of course, it makes little diff in jail, but won't it be a hoot when he gets released to face a mile long track record of bad accounts and bills from some guy who 'stole' or bought his info. Maybe somebody will be able to help them sort it all out.
  • Who bought the ifnormation?

    I want to know who bought my financial information. Is that information available?
  • when changing account numbers...

    a further note:

    When changing credit card numbers, bank account info, etc, remember also to update any places that you do online billing with, particularly if you have accounts set up for recurring payments. When you change your account info, most of these recurring payments will NOT switch over, even if you are doing on your own bank's website, moreso if you are paying through the creditor's website, and ESPECIALLY if you have an older "ACH" type autopay arrangement.

    I work in billing, and of the FEW issues I run into with autopay, this is one of the BIG ones autopay-when borrowers move, they change bank info, but they NEVER remember to update these types of arrangements, which inevitably results in payment reversals due to an INVALID CHECK. When payment the issue isn't caught in time (which is usually...up til then, there was no reason to monitor said account!), it results in late/missing payments, and negative credit reporting...which was the point in the first place!

    For any who need it, the REAL link for the annual freebie 3-bureau credit report is:

    If you use it, it will be helpful to you have a list of your previous addresses on hand, as it will quiz you (a lot) to prove you are who you claim.

    DO NOT USE FREECREDITREPORT.COM. IT IS SCAMMY. It requests a credit card, and will sign you up for credit monitoring which will start being automatically billed after a certain period of time (generally after you've forgotten about it).