Four major cyberattacks in as many months took two major mortgage lenders and two major title companies offline, exposed millions of customers’ personal data and generated multiple class-action lawsuits. iStock illustration

Successive and dramatic cyberattacks brought down systems at mortgage lenders LoanDepot and Mr. Cooper and title insurance companies Fidelity National Financial and First American in the last several months, highlighting the dangers Massachusetts financial institutions say they face every day.

In the October Mr. Cooper attack, hackers made off with nearly 15 million current and former customers’ data, generating several class-action lawsuits. Fidelity National Financial said in a regulatory filing that 1.3 million of its customers’ data was stolen in November. In the LoanDepot case earlier this month, hackers locked workers out of big chunks of key data, demanding a ransom in return. And in the December First American case, criminals both stole data and encrypted data on some of the company’s systems, the company told federal regulators.

Traci Michel, chief operating officer of Chelsea-based Metro Credit Union, said that for the credit union, it has experienced a significant increase in cyberattack attempts in recent years, which was also widespread in the banking industry as a whole.

“We saw five-fold increase [hacking] attempts in a five-to-seven-year period, but the good news is, our cybersecurity tools have gotten a lot more sophisticated as well,” Michel said. “Although you see this sharp increase in attempts, you don’t necessarily see that we’re always putting out fires and we’re running around because we’re constantly under attack. But when you look at just the perimeter-level security, the stuff that’s not getting in the front door to begin with, those numbers have skyrocketed.”

She said there should be a side-by-side increase in focus and investments between digital banking strategies and cybersecurity, which the credit union has made part of its budget in recent years.

“Around 10 to15 percent of our IT budget is directed specifically to cybersecurity. For every dollar of digital spend, we are investing another $0.50 in security controls to keep the environment safe for members to use,” Michel said.

She noted that the credit union has two full-time employees who oversee day-to-day security, as well as outsourced consultant-like experts that assist in security in place of what might be up to six full-time employees if Metro handled all cybersecurity work in-house.

Layers of Security in the System

Michel said that for the software side of cybersecurity, Metro has adopted a defense-in-depth model where multiple security measures are in place to protect customer assets and information.

“We view security like an onion that has a lot of different layers to it. In terms of risk in an organization, you have to look at what types of businesses that you’re in, and what types of data you collect. Data privacy is one of our primary responsibilities and it is critical for us to do business with the public and handle their information, but we have to keep it secure,” she said.

Metro’s first layer of defense is a “perimeter” that acts as a front door to have an ability to block any type of traffic. Next, the credit union deploys network security tools to understand the kind of traffic going back and forth between employees, vendors and partners and others. Checks also happen on all devices where data is inputted, such as computers, laptops, phones, iPads/tablets, audio-visual equipment in meeting rooms. Lastly, the lender uses application-level security tools, where a software is built into email applications to permit or not permit certain types of activities.

Michel noted that Metro has significant investments made in software in each of the layers, as the layers become more complex and evolve quickly over time.

She said the credit union is basing their software buying decisions on a guide published by the Federal Financial Institutions Examination Council (FFEIC). The guide helps financial institutions to determine how much risk the different lines of their businesses are exposed to, the types of software they use to run their businesses and then suggests types of controls in place to secure the system.

“It’s a commonplace industry standard to understand what your risks are and then use the prescriptive approach to apply those controls into your environment,” Michel said.

Email Attacks Skyrocketed

On the people side of cybersecurity, Michel said, cyberattacks mostly take the form of getting sensitive information through phone or video calls and emails.

According to Microsoft’s 2023 Digital Defense Report, business email compromise attacks, a broad category that includes the familiar type of attack known as “phishing,” have skyrocketed to over 156,000 daily attempts, with a tenfold increase in attempted password attacks in 2023 from around 3 billion per month to over 30 billion per month.

It is not just employees who receive these emails, Michel said, but also the customers themselves.

“You have attackers who just try random combinations of usernames and passwords to see if they can get into your online banking. They have no real information. That’s called a brute force attack. You have similar types of attacks on debit cards where they try random combinations of debit card numbers to see if they can get a valid card,” she said.

Nika Cataldo

Even the Consumer Financial Protection Bureau warned the public last week about an imposter scam using CFPB employees’ names to try and get sensitive information so the criminals could access private bank accounts.

This can be in the form of a phone call, video call or an email from an imposter asking to pay upfront fees or taxes or telling the target that they have won a lottery, sweepstakes or class-action lawsuit, even if they did not sign up for it.

“We can’t say it enough – the CFPB will NEVER contact you and ask you for sensitive information or to pay money,” bureau said. “We also won’t ask you for personal or sensitive information before you can cash a check we’ve issued.”

Michel said Metro Credit Union is constantly training and testing its employees with monthly exercises where a third-party consultant may send a trial phishing email to see if employees will click, or educate employees on ways on how to handle customer information better.