Pennymac Loan Services and RoundPoint Mortgage Servicing reported this week their customers were exposed to a data breach through the Sovos Compliance software, per filings with the Attorney General in California.
Sovos, which provides services to financial companies, said that its vendor Progress Software had a vulnerability in its MOVEit Transfer application on May 31, 2023. Sovos uses the application to provide services to its customers, including Pennymac and RoundPoint.
Sovos said that when the company became aware of the incident, it immediately took the application offline, activated its incident response procedures, retained outside advisors and notified law enforcement.
However, the company recently determined that unauthorized actors exploited the then-unknown MOVEit vulnerability to download a file containing some Pennymac and RoundPoint customers’ personal information.
Pennymac Loan Services was ranked No. 5 five among the top U.S. primary mortgage servicers in the second quarter of 2023, according to Inside Mortgage Finance data.
Its servicing portfolio grew to $576.5 billion in unpaid principal balance (UPB) as of June 30, up 2% from March 31. The company estimates its market share at 4.3% of the loan servicing market.
RoundPoint is a Two Harbors Investment Corp. company. Matrix Financial Services Corp., a leading mortgage servicer and a wholly owned subsidiary of the REIT, acquired RoundPoint from Freedom Mortgage Corp. in August 2022.
Two Harbors’ MSR portfolio was $224.3 billion as of June 30. The company said it completed transfers of approximately 63% of its MSR from the subservicing network to RoundPoint through June.
Regarding the data breach, Sovos said it has decided to offer two years of complementary credit monitoring and identity restoration services through Kroll Information Assurance to Pennymac and RoundPoint customers.