PHH Data Breach Exposes Employee Information

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.americanbanker.com/issues/178_94/phh-data-breach-exposes-employee-information-1059140-1.html

WASHINGTON — A temporary worker for PHH Corp. potentially gained
access to employees' personal information, including Social Security
numbers and dates of birth, according to a letter from the company's
chief executive.

In a letter posted on the California Department of Justice's website,
Glen Messina, the $9.3 billion-asset mortgage servicer's president and
chief executive, wrote that the company learned on April 3 that the
former employee was indicted and is cooperating with an investigation.

The servicer has sent the letter to former and existing employees of
the company, cautioning them of the data breach. The company did not
disclose how many letters were sent, but it had roughly 6,700
employees at the end of 2012, according to its annual report.

Messina said that the servicer had no evidence the temporary worker
misused the data based on their own investigation, but they offered
identity protection services through a company called AllClear ID
until Nov. 15, 2014. The company also acknowledged it could improve
its own policies that allow temporary workers access to so much
information.

"We take our obligation to safeguard your personal information very
seriously," Messina wrote to employees. "We continue to take steps to
help prevent this type of incident from reoccurring, including
enhancing some of our policies surrounding temporary employees and
access to data."

The investigation was revealed just a month after the company named
Kathryn Ruggieri as senior vice president and chief human resources
officer. Ruggieri has been the interim human resources officer since
last September. A call to the company was not immediately returned.

PHH is one of the largest mortgage servicers in the country and had a
$182 billion loan servicing portfolio at March 31.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.