October 3, 2022

The Lending Company Of AZ Reports Data Theft But Gives No Help To Those Compromised

Data Theft At Major Arizona Mortgage Company Leaves Many Questions Unanswered

Major incidents of data theft seem to be occurring with alarming frequency.  Even companies with considerable resources seem powerless to prevent the theft of customer records containing sensitive personal and financial data.

Two recent cases involving Michaels Stores and Sony Corp show that even huge companies are vulnerable to hackers.  I will leave it up to the experts to determine whether these data thefts are due to inadequate security protocols, but when they do occur, the company involved should take prompt and serious actions to ensure that damage to customers and employees is limited.

A serious case of data theft has occurred at The Lending Company, a major Arizona mortgage company based in Phoenix, Arizona.  In a letter sent to current and former employees, The Lending Company said,

“We are contacting you about a potential problem involving identity theft.  Recently, we have learned of a data security incident in which someone accessed and potentially downloaded sensitive personnel records including names, contact information, and social security numbers.  We have notified law enforcement  regarding the incident and have provided them with a general report.  Due to the nature of this incident we strongly encourage you to take preventative measures to help prevent and detect any misuse of your information.

We recommend that you place a fraud alert on your credit file…You are encourage to call any one of the three major credit bureaus listed below.”

The Lending Company also suggested that these additional steps be taken:

  1. Check your credit report periodically
  2. Review a copy of the comprehensive FTC guide to guard against identity theft
  3. Contact local law enforcement and file a report if you find suspicious activity on your credit report
  4. File a complaint with the FTC which will add your complaint to their Identify Theft Data Clearinghouse

The response of The Lending Company to this serious case of data theft leaves potential victims of identity theft with many unanswered questions including:

  • How long was it between the data theft and the date is was discovered?
  • Why were potential victims not immediately notified by email or a phone call instead of being informed by “snail mail”?
  • The letter only mentions a theft of personnel records.  Is there also a possibility that the theft of customer loan records occurred, potentially exposing thousands of borrowers to identity theft?
  • Did The Lending Company have reasonable security measures in place to protect customer and employee data?

The Lending Company gave a long list of chores to the victims to minimize their potential losses and aggravation due to identity theft.  Dealing with the credit bureaus, FTC and law enforcement involves a huge time commitment.  Why is The Lending Company not stepping forward with a help line or live support to deal with multiple agencies regarding a data breach that is ultimately the responsibility of The Lending Company?

It is routine in cases involved compromised financial information for the company involved to offer free credit monitoring through a credit bureau which sends alerts regarding potential credit and identity theft risks.  The credit monitoring services also have a team ready to assist victims with fraud resolution and provide identity theft insurance coverage.

The Lending Company is ultimately responsible for the data theft yet has done nothing to assist potential victims other than sending them a letter which basically says “good luck” with your efforts to stop identity theft or fraud that may occur due to data stolen from The Lending Company’s offices.

Companies should be required by law to take immediate steps to protect customers and employees in the case of theft of personal and financial records.  At a minimum, companies who allow sensitive data to be stolen should provide at no charge the best credit and fraud monitoring services available.

The Lending Company has failed to protect data and has now failed to help those who may be at risk of identity theft or worse.  Hopefully, The Lending Company will recognize its responsibility and immediately take more proactive steps to protect its customers and employees.

Satyam’s Phony $1 Billion – How They Did It

One would think that with the number of business frauds, Ponzi schemes and other financial deceptions exposed over the last decade that auditors would have a more skeptical and cautious attitude.

The Satyam case is particularly perplexing when considering one of the major fraud aspects of the case.  Satyam reported cash balances of approximately $1.11 billion when in fact they had 94% less, or only around $66.6 million.

What makes this fraudulent reporting of cash balances so strange is how the auditors could possibly miss over a billion dollars.   Verifying cash balances is a routine step in the audit process.   In addition, routine “topside” analytical procedures are usually employed to verify that a large number on the balance sheet makes sense.

For example, if a company reports a cash balance of $1 billion dollars, does that cash balance look reasonable compared to the interest income reported?    A quick check on what rate of interest the company was earning should have resulted in determining if the interest income the company reported from its cash holdings was reasonable.  Perhaps Satyam fraudulently inflated the income earned on their phantom cash as well, in which case this procedure may not have lead to suspicion.  A routine financial audit is not conducted with the intention of discovering management fraud.

Verifying cash balances , however, is an entirely different matter.  Cash balances are easily verified by sending a balance confirmation request directly to the banking institutions in which the cash is held.   Cash confirmations are a simple and routine audit procedure.  A company holding over $1 billion in cash and conducting business worldwide would have accounts with many different banks.  The odds of having someone at many different banks intercept and falsify a bank confirmation is highly unlikely; so how did the auditors miss $1 billion?

The most plausible explanation is that the auditors did not comply with standard audit procedures.   Once the bank confirmations are prepared by the auditors, procedure requires that they be taken directly to the postal service by the auditors.  Instead, I suspect that a very cooperative and friendly staff at Satyam offered to take care of mailing the bank confirmations, thereby saving the auditor the extra effort of independently mailing the confirms.   This breakdown in a routine audit procedure most likely resulted in the bank confirms never being mailed to the banks. The confirmations were retained and fraudulently completed by Satyam, and then mailed back to the unsuspecting auditor.  The doctored confirmations examined by the auditors matched what the company said they had in cash and everyone was satisfied.

Result: simple audit rule violated and huge fraud goes undetected.