FTC Settles with Data Analytics Firm Over Mortgage File Exposure

FTC Settlement with Data Analytics Firm Over Mortgage File Exposure

The Federal Trade Commission has reached a settlement agreement with a mortgage data analytics company following a 2019 security incident. This breach resulted in the exposure of millions of confidential mortgage documents and the personal data of numerous American citizens.

Details of the Settlement

Announced in late December, the settlement mandates that the Texas-based firm, Ascension, enhance its security protocols. It also requires ensuring that all third-party vendors adhere to appropriate data security standards. This action follows a 2021 TechCrunch investigation that revealed a database belonging to OpticsML, a New York vendor utilized by Ascension, was publicly accessible online without password protection.

Notably, the settlement does not include any financial penalties.

Violation of Data Security Regulations

The FTC alleges that Ascension failed to adequately oversee its vendors’ compliance with data security safeguards. This constitutes a violation of the Gramm-Leach Bliley Act’s Safeguard Rule, which outlines requirements for protecting consumer financial information.

Scope of the Data Breach

The security lapse compromised approximately 24 million records. These records contained highly sensitive information, including names, birth dates, Social Security numbers, and other personal details revealing individuals’ financial circumstances. Exposed data also encompassed bank account details and loan agreements.

A breach notification submitted to the California Attorney General’s office further indicated that credit files and driver’s license numbers were also compromised.

The FTC estimates that over 60,000 Americans were directly impacted by this data exposure.

How the Breach Occurred

Ascension engaged OpticsML to perform Optical Character Recognition (OCR), converting scanned documents into machine-readable text. Both the original documents and the resulting text files were accessible to anyone with the database’s IP address. The FTC determined the database remained exposed for roughly one year, experiencing over 50 access attempts, primarily originating from computers located in Russia and China.

Commission Vote and Dissent

The settlement was approved by a majority of two out of the FTC’s four current commissioners. FTC Chair Lina Khan did not participate in the vote, as she had not yet joined the agency at the time the complaint was initially filed.

Commissioner Rebecca Kelly Slaughter dissented, expressing concern that the complaint only addressed a rule violation and did not pursue formal charges against the company. Previously, Commissioner Rohit Chopra, before his appointment to lead the Consumer Financial Protection Bureau, also voiced criticism, arguing the settlement should have included Ascension’s parent company, Rocktop Partners, to properly identify the responsible entity.

Responses to Requests for Comment

Representatives from both Ascension and OpticsML have not yet provided a response to requests for comment regarding this matter.

• Key Takeaway: The FTC is prioritizing data security enforcement, even without imposing financial penalties in all cases.
• Impact: This case highlights the importance of vendor risk management for companies handling sensitive consumer data.