well.. what can countrywide do? give u a new identity?

At this point, they are at least admitting it and alerting you to the possibility of a problem (however remote).

In some instances (being unable to find backup tapes) the risk may be small and the credit monitoring is fine.

Make it too expensive and the companies will try to cover it up.

The thing is, Countrywide is a ferocious junk mailer of their customers, so it's possible some will simply toss the warning unopened.

On an amusing note, I today received from them a "monthly" print statement, clearly labeled as such, for the first time in nearly a year.

Countrywide has deep pockets, time to start building new credit, from a 6 figure lawsuit.

What happens when your identity that was stolen thanks to a dishonest employee?

"Gee Mr. Smith, we gave you free credit monitoring so the fact that you had 17 credit cards open and $47,000 charged in your name leads us to believe you didn't monitor your credit very well."

"Oh and because you are so far in debt we need to raise your interest rate as you are not a calculated risk."

I received the same letter.

I'm inclined to think that in retaining critical personal information, Countrywide has a responsibility to protect that data.

There shouldn't be any way for employees in such a large company to carry out any customer data unless they're scribbling SSNs by hand on a napkin. It's too easy for an IT department to make the necessary restrictions to prevent this.

Speaking as an employee of a company who provides ID theft restoration services and consultation and as such has not had but 20 seconds without the phone ringing from irate and panicking customers ALL FREAKING DAY.......

THANKS COUNTRYWIDE!!!!!!

So...probably one of these letters waiting for me in today's mail.

I'm especially looking forward to having credit counselors and the like lecture me again on the importance of properly securing my personal information.

The SYSTEM is BROKEN.

@IamNotToddDavis:

And yet you have time for Consumerist. GET BACK TO WORK, YOU!

@TechnoDestructo: I swear! I was on my break! And this could be work related anyways because I'm discussing an issue important to my clients needs!!

THANKS CONSUMERIST!!!

Instead of the credit monitoring, can't you just sue? I don't see how they are allowed to name their own settlement.

@njovin:

Do you work in IT? I can tell you now that building policies to prevent people from carrying out data is manifestly NOT easy. USB drive anyone? You can turn off all the ports, disable discwriters, and such. You can prohibit people from bringing in bags, and prohibit removing stuff from the work area. And if you are real careful in monitoring email you might prevent people from sending data out, but it is not easy.

@DashTheHand: My guess is that most people will say "oh that's horrible, hacker people are bad bad bad! I better sign up for credit protection" instead of the far more appropriate "wtf you stupid bastards how could you let this happen? i trust you with my personal data and you don't take proper, reasonable steps to secure it? call my lawyer, and that settlement better be in the 8 figure range"

If banks hire indiscriminately, fail to provide the resources for CSRs to do their jobs, and overall treat their employees like garbage... consequences happen.

That does NOT condone theft of private information. I'm just saying, there are a lot of disgruntled financial services employees out there.

Having worked for a bank where info theft occurred routinely (and was never fully disclosed to cardholders), I applaud Countrywide for their transparency. They should follow up with another letter when whoever responsible gets 6 months of jail time and a $18,000 fine... another wonderful facet of American juridical capitalism.

I received the same letter today, and for some reason, it doesn't feel right to me. Have any of you thought of the possibility that the letter may be a fake? That now, when you call this number and give them the code shown on the letter, since it's a "credit monitoring" program, they're going to ask you all sorts of personal info, such as SSN, DOB, credit card nos. that you have, etc., or is this paranoia on my part? I don't even know who to trust anymore because the scammers are getting better and better at what they do. Could this letter be a scam as well?

great, another instance where a company totally exposes its loyal customers to years of ruin and hassle repairing their credit and the consequences of identity theft and all they get is lousy credit monitoring for a finite period of time. hear me now consumers, write your legislators on the state and federal level and demand stricter penalties for such careless maintenance of your personal information. until we laws that put teeth into damages for such carelessness, large companies will continue to treat your personally identifiable information with little care and oversight. why? because under current law, all they have to do is send you a notification letter and offer pitiful credit monitoring for a year or two. if companies do that, then, under the statutes on the books and most court decisions interpreting the law in this area, companies exposing you to years of heartache and financial ruin enjoy relative immunity from damages. in most instances, companies can take substantial steps to upgrade their technology and information security but do not because it costs them too much money.

The author of this article is way off base. _Any_ place with access to sensitive data should have identity theft specialists on _staff_? They just sit around in case something goes wrong then leap into action?

I'd rather have them outsource that to a company that specializes in it - which is what they did. I'm not a countrywide fan, but this is something that is nearly unpreventable and countrywide did the right thing.

I wonder if this affects prior customers as well. I had a mortgage with Countrywide about 10 years ago and have moved 2 times since then.

There's no way they'd find me now to even tell me.

Do you work in IT? I can tell you now that building policies to prevent people from carrying out data is manifestly NOT easy.

Well, nobody forced them to be banks. They signed up for it, and that means taking on the responsibilities of a bank. That's why they get paid the big bucks. (Or, you know, just take it from your account whenever they want. That too.)

I thought of the exact same thing. My husband is going to call Countrywide itself to confirm if this is a scam or not. Be careful, because when I called them tonight, they wanted our "Borrower Activation Code." And because he sounded like a foreigner I said, "Forget it! hHw do I know this is not scam? Very suspicous! Call Countrywide and speak with a manager/supervisor or something.

Baking4me:

I have not received any such letter yet, but I will have to keep an eye out for it. As another poster mentioned above, I get so much junk mail from them that it rarely gets little more than a cursory glance before being fed to the shredder. Thanks for the heads-up Consumerist.

I'm also looking at my account on the Countrywide website and see a whole bunch of nothing regarding any data theft. Does anyone know the scope of the data breach yet? How many customers were affected and all that?

Ummm yeah...my wife received the letter yesterday but my name wasn't mentioned anywhere on the letter so at first I thought it was some sort of Countrywide junk mailer. I emailed Countrywide inquiring if this was legit or not but never heard back from them so I figured it was bogus. I log on here and see it was true.

Now we like many others got scammed by Countrywide with their arm loan a few years back and the next thing they do is stick it to us again with this. So is it worth it to take them up on the credit monitoring or will that just lead to more issues down the road?

This is what happens when you give people access to sensitive information and do not pay them well enough.

@JayDeEm: A local news report (local to Countrywide offices, I guess) lists an employee used a thumb drive to take information out of the building and sell it to a third party for two years before being detected. He has since been turned over to the FBI who have arrested him.

[www.azcentral.com]

I think it stinks there is nothing on their web site about this. For all I know the letter is a phish. Also, I never picked Countrywide Mortgage. I thought I did a deal with a local lender - they sold it to Countrywide.

And - two years is nothing if an SSN is floating around out there. This is a lifetime issue. Looking at Countrywide's stock price slide we're probably going to out last them a good bit.

@DashTheHand: Instead of the credit monitoring, can't you just sue? I don't see how they are allowed to name their own settlement.

They didn't name their own settlement. They proactively offered a credit monitoring service. I'm sure you could still sue, but this armchair lawyer thinks you'd need to be able to identify damages that exist in fact (or some statutory damages, if they exist), not damages that may or may not happen in the future.

@Chris Walters: (1) Every company that deals in sensitive data should have identity theft counselors on staff-(2) people who will walk you through a formalized plan for changing account numbers where possible, getting new account numbers if necessary, and (3) setting up a systemized way to monitor financial activity on a weekly or monthly basis. (And they should pay for any fees you're charged in the process.)

(1) Sounds like a good idea. But...

(2) How does changing your account numbers help if the stolen data included social security numbers, addresses, and DOBs? That's pretty much all a thief needs to get any data he needs (like your current account numbers), now or in the future. It's like the heist that keeps on giving.

(3) Isn't that what they offered for 2 years?

Demand that countrywide pay all costs associated with refinancing affected customer's loas to another lender. Then demand a signed affidavit from countrywide stating that the affected customer's personal information has been purged from all countrywide systems.

I got this today, too. To quote IamNotToddDavis:

THANKS COUNTRYWIDE!

I got one also .. so did this person ...

[blogs.zdnet.com]

The ex-employee was selling contact info to other lenders so that they could in turn contact you

quoted from above link -

" In an affidavit filed in federal court, the FBI said Rebollo had voluntarily described the scheme. Rebollo said he would charge $400 or $500 for batches of thousands of "leads" - personal and account information that presumably would help outside loan agents solicit new mortgages from the Countrywide applicants, some of whom had been denied loans by the Calabasas company.

Authorities said they didn't know whether any of the information had been used for outright fraud, such as identity theft.

Rebollo would copy information on about 20,000 customers at a time on Sunday nights by using a Full Spectrum computer that did not have the same security features that other machines in the office had, according to the affidavit by FBI Special Agent Richard P. Ryan.

At that rate, the U.S. attorney's office said, Rebollo would have compromised up to 2 million customer profiles for about 2.5 cents each - an astonishingly small amount considering the importance of the material. Mortgage leads are among the most expensive for sale because of the potential payoffs to intermediaries when loans are made."

I wonder what criteria was used to pull the names. My ex-wife and I were on the same loan. Today I received a letter addressed to her, but not one for me. If the information stolen included "various other loan and application information" then my information was certainly included with hers.

Maybe my letter is still on the way, but that would be strange. You would think they would batch them by last name?

@Canino:

IIRC, there is always a primary name on the loan. In my case, I'm the primary .. The letter came addressed to me and made no mention of my wife.

I did a search when I opened my letter .. Had a fleeting moment of worry that it was some bizarre snail mail phishing scam. That's how I came up with the link in my previous post.

@gnubian: That makes sense, except that I was the primary on our loan. My ex-wife's credit was pretty bad and she would have never been the primary.

@floraposte: I nearly ripped up mine and threw it away, all the crap I get from them is ridiculous. Good thing I opened it.
My wife works for a bank and stuff like this will happen from time to time where people's info is compromised. They also send out letters to people saying the same thing - your information may be compromised. She said they know who's was and who's wasn't. So the "may be" wording really means "check your credit report, make sure no one opened any accounts as you, because someone has your information."

I say fine if they send a letter guaranteeing a closed-end $0 contract on the credit monitoring and no credit card verification requirement. Otherwise,
GREAT MARKETING PROGRAM!

Is Countrywide liable for any damages I may incur? Should they at least offer the 25 cents they got for my identity? I thought I was worth more than that..

@gnubian: When I saw that amount I laughed. As someone who does affiliate marketing and is well aware of how competitive (and potentially lucrative) getting mortgage leads can be, I have to say that the stupidest thing this guy did wasn't just get caught, it was getting caught for selling something at a FRACTION of what the leads are worth.

For instance, I just found one program that will pay $35/lead. To quantify...that is roughly 175,000% greater than the rate he was getting. What a royal dumbass.

For those that were affected, be sure to check whether you are automatically enrolled in the non-free monitoring service after the promo ends. Might as well take it while it lasts, but be sure to mark your calendar for when you have to cancel it.

I am not surprised that the only area of identity theft that people are worried about is Financial Identity Theft. I am certified in identity theft and there are five areas that you should worry about. As stated there is Financial Identity theft, in addition there is DMV, Social Security, Medical and Criminal/Character identity theft. Your personal information can be used for any of these areas.

For those who state they can have your identity, how would you like to receive a letter from the IRS stating that you owe for unpaid taxes and penalties for one or more people using your social security number to obtain employment? It happens more than you think. How about being arrested for unpaid traffic tickets that you did not have? What if you find out that you have less medical insurance left because someone used it for procedures that you did not have done.

I agree that what was offered is not enough. You need to be offered a plan that not only monitors but also restores your identity. I have purchased a service that does just that. Check out the information at www.decidehere.com also check for other companies that monitor and restore identity theft. You will find out that many only offer assistance with restoration.

So far I have not received a letter from Countrywide who I have an account with. I did have a credit card replaced due to the TJX Corp data breach. To date, my identity is still clean.

I received a letter last week something to the same effect, but it was BNY Mellon Shareowner services(stock transfer agency)at the Bank of New York Mellon stating that computer tapes containing personal information was lost while being transported to an off-storage facility and that they would provide free credit monitoring (Triple Alert) and/or credit freezes for 2 years. It also claims that if I choose to enroll in this product, that I must do so within 90 days by visiting [partner.consumerinfo.com] and use a unique single-use activation code they gave me. They claim that if I place a credit freeze on my credit file within the 90 days, that they will reimburse me for the cost of the initial placement and one removal of the credit freeze. They also include a toll-free number to call 1-877-289-0136 or to visit [bnymellon.com] I really think that this is identity fraud. If anyone has received similar letters from other companies, I would really like to know and who we can contact to report it.

@starrion: So we need to let the companies that did wrong off the hook because, oh noez, they might cover it up if we actually require them to be responsible?

Awesome, my mortgage was just purchased by Countrywide.

The monitoring is great and all, but what happens when something does pops up... they send you a massive "do-it yourself" first aid kit and say best of luck! If you have an identity problem, you have a legal problem and Identity Theft is the only crime you are truly guilty until PROVEN innocent. What happens when you get pulled over and they say there is a warrant out for your arrest... Monitoring isn't going to help you there. You need a tiered suite of services that monitor, restore and give affordable access to the justice system which can only be found Here .

I just got my letter today. You forgot the most important part... the weasel PR words:

" We deeply regret this incident and apologize for any inconvenience or concern it may cause you. We take our responsibility to safeguard your information VERY SERIOUSLY blah blah blah ... "

The monitoring requires no additional payment info. You use the code that was included with your letter, answer a few basic questions to insure you are who you claim to be, and enter your email address for a decade of spam ....

2 years from now, when the monitoring expires, experian will probbaly start houding everyone to sign up for their service.

I got the letter today too - I was freaking out because I have been working for the past few weeks with a Countrywide employee to refinance my mortgage. I hate the company, but since my mortgage is already there, they were offering me the best rate. The guy I was dealing with was super slimy and something about it gave me a bad feeling - I guess I now know why. I sincerely hope for Countrywide's sake that this schmuck didn't steal my identity and did just sell the info to another mortgage company.

Wife is on account, too, but they only sent free monitoring offer to me - what gives with that, CFC? And why isn't the name of this employee being published - it should be a public record if he's been arrested.

Wow, they were sold as "leads" to other mortgage lenders, particularly those who were turned down by Countrywide?

How good of a "lead" are you, if Countrywide wouldn't even give you a loan?

How timely a story. A lady here at work just got notice of this from Countrywide and is literally sh*tting her pants as I write this... calling all her banks to put fraud alerts on accounts, etc. As if Countrywide doesn't have enough problems already, sheesh.

If our legislators have enough time to pursue investigations on the cost of text messages and other pointless issues, why the hell haven't they enacted legislation mandating basic security requirements for holders of sensitive personal/financial data?!?! Knock, knock, hello? Anyone home?

It'll probably take a half dozen of them to have their identity stolen before they realize this is a big problem.

@ZukeZuke: I hope it's not actually "literally."

This is nothing new. We have had the city of Claremont, CA, Boeing Corp., Bank of America and a few others DO THE EXACT SAME THING. Claremont offered nothing other than the information that they had lost personal data and we needed to pay attention to our credit scores etc.

I agree...losing your data then offering 1 year of credit monitoring is the "defacto" action now. What's that going to do when the list turns up 10 years from now and my bank account is emptied and credit cards are maxed? "Sorry, you should have um....done business somewhere besides us".