Recent Ransomware Threats Prompts Mortgage Company to Contract with High Bit Security for Penetration Testing

Share Article

Security Testing pinpoints multiple urgent vulnerabilities. Timely remediation prevents loss of extensive store of client data, including personal information, banking and investment records, SSN’s, and income history.

“Mortgage company records are a goldmine for an identity thief." High Bit Security CBDO Barbara Goushaw

Mortgage companies store significant Personally Identifiable Information (PII). In the last few months, many small and medium size brokers have become prime targets for hackers.

“Anyone who has ever applied for a mortgage knows that you are required to document your entire financial life,” said High Bit Security CBDO Barbara Goushaw. “Mortgage company records are a goldmine for an identity thief, and whether this information is stored locally or the mortgage company uses third party software – customer information exists unencrypted at various points as it traverses the network. Information is transferred using unencrypted e-mails and it’s also copied, faxed, and scanned on all-in-one printers that retain the information. Yet, most of us would never ask about security policies when selecting a mortgage company - it’s a prescription for ruined lives.”

High Bit Security performed a penetration test for a national mortgage company who was concerned about their security due to a recent ransomware attack against another mortgage broker. The hacker took control of that system, locked the company out, and threatened to publish applicants’ sensitive information unless a “ransom” of $200,000 was paid within 24 hours. The national mortgage company engaged High Bit security to test and determine their vulnerabilities, and to ascertain if they could be subjected to the same kind of attack. Testing identified multiple exploitable vulnerabilities, underscoring the need for a preemptive approach to security and illustrating why penetration testing is widely acknowledged as the best way to protect and preserve valuable information.

“Our security engineers documented vulnerabilities that could allow a full breach of the server and the operating system,“ said High Bit COO, Adam Goslin. “There was also a server misconfiguration that inappropriately exposed an ‘internal only’ database to the Internet, in addition to remote access vulnerabilities. We discovered that this company was at risk, and it was fortunate they engaged us before the hackers discovered it too. In cases like this it’s only a matter of time.”

High Bit Security reported what was found, where it was found, what it meant, relative severity within the environment, and specific details on how to fix it. Upon receipt of the testing results report, the mortgage company IT staff began at once to remediate the vulnerabilities. “Most of the fixes were relatively simple to accomplish,” said Goslin. “The trick is to know what needs to be fixed. That’s why an experienced security engineer heads up all of our engagements. They know where to look. The key is to engage us before the hackers find you, because they also know where to look. In this case the company was proactive and brought us in before they became a target. “    

The complete anonymous case study can be reviewed here.

About High Bit Security: High Bit Security is a national security services provider, providing testing, assessment and solutions to clients who need to protect sensitive data in industries such as Healthcare, Credit Card, Financial, or companies that otherwise store Intellectual Property or Personally Identifiable Information. HBS also provides security consulting services to our clients to assist them with their compliance objectives across PCI-DSS, PA-DSS, HIPAA, SSAE-16 or simply wish to perform a security best practices audit of their organization. Contact High Bit Security today for a free consultation to take steps toward protecting your sensitive information.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Barb Goushaw
Visit website