Bayview Asset Management, a leading nonbank mortgage servicer, has been hit with a $20 million fine after a 2021 data breach compromised the personal data of 5.8 million customers. The breach, involving Bayview and its affiliates, including Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings, prompted an investigation by 53 state financial regulators.
Details of the Data Breach and Its Impact
The breach occurred in October 2021 when an employee of Bayview accidentally downloaded malicious software during routine work-related internet activities. This software allowed cybercriminals to install malware and steal personally identifiable information (PII) from the company’s network. While Bayview did notify affected consumers and provided free credit monitoring services, the company failed to meet all state regulatory notification requirements in a timely manner, which caused delays in the investigation.
The Response from State Regulators
State regulators from California, Maryland, North Carolina, and Washington led the investigation, which revealed that Bayview’s cybersecurity practices were deficient and failed to meet federal and state standards. Moreover, Bayview’s delayed responses to regulatory requests hindered the progress of the inquiry.
In addition to the $20 million fine, Bayview and its affiliates have agreed to implement a corrective action plan, which includes:
- Enhancing Cybersecurity Systems: Strengthening internal security measures to comply with state and federal standards.
- Independent Cybersecurity Assessments: Undergoing third-party evaluations to assess and ensure compliance.
- Three Years of Reporting: Providing detailed progress reports to state regulators for the next three years.
What This Means for the Mortgage Industry
This case sheds light on the growing cybersecurity risks in the mortgage and financial services industries. With increasing reliance on third-party service providers and financial technology, companies handling sensitive consumer information need to prioritize cybersecurity to prevent similar breaches.
Cybersecurity experts warn that breaches like this not only harm consumers but can also damage the credibility of companies managing private financial data. The Office of the Comptroller of the Currency (OCC) has highlighted the elevated cyber risks facing financial institutions, urging companies to adopt robust protective measures.
Statements from State Officials
State officials emphasized the importance of cybersecurity compliance in the wake of the breach:
- Cheryll Olson-Collins, Secretary of the Wisconsin Department of Financial Institutions, remarked, “This multistate action is a reminder to all financial institutions: safeguarding consumer data and complying with regulations is non-negotiable.”
- Kevin Allard, Superintendent of the Ohio Division of Financial Institutions, said, “This settlement highlights the importance of data protection. Companies need to take their cybersecurity responsibilities seriously to avoid consequences like this.”
- Curtis Loftis, South Carolina State Treasurer, added, “Financial companies must ensure that borrowers’ personal data remains secure, especially as cybersecurity threats continue to grow.”
What Consumers Need to Know
Consumers affected by the breach are encouraged to contact their state regulators or visit the Nationwide Multistate Licensing System (NMLS) to verify whether a mortgage company is licensed and to view past enforcement actions.
Residents of the affected states can reach out to:
- Wisconsin: Division of Banking – Call 608-261-7578 or email DFIMortgageBanking@dfi.wisconsin.gov.
- Ohio: Division of Financial Institutions – Visit their website or call 614-728-8400.
- South Carolina: SC Consumer Finance Division – Call 803-734-2020.
Conclusion
The Bayview Asset Management data breach case marks a significant moment in the mortgage and financial industries, highlighting the growing risk of cyberattacks. This settlement serves as a critical reminder that cybersecurity compliance is essential, and companies must take all necessary steps to safeguard consumer data. By agreeing to a $20 million fine and committing to corrective actions, Bayview sets a precedent for others in the industry to follow. Proactive cybersecurity measures, timely cooperation with regulators, and adherence to state and federal standards are key to maintaining consumer trust and avoiding future penalties.