Countrywide Says Customer Data Were Sold
Mortgage Lender Offers to Pay For Credit-Monitoring Service

By Renae Merle
Washington Post Staff Writer
Sunday, September 14, 2008

For up to 2 million Countrywide customers, the reality must be distressing: Their personal information, including Social Security numbers, was worth about 2.5 cents.

Countrywide, the big mortgage lender recently acquired by Bank of America, is notifying customers that a former employee may have sold their personal information to a third party. The firm says it has not seen evidence of the data being used for identity theft or fraud, but it is offering to pick up the tab for two years of a credit-monitoring service.

The Countrywide customers are now in an increasingly common predicament. More than 480 data breaches, including the loss or theft of consumer data, have been reported this year, according to the Identity Theft Resource Center, a San Diego nonprofit organization. About 15 percent of those involved theft of customer data by a company's employee.

In the Countrywide case, Rene L. Rebollo Jr., a senior financial analyst at the firm's subprime lending arm, is accused of selling the personal information of company clients. For about two years, Rebollo sold customer files, including Social Security numbers, in batches of 20,000 about every week for $500 per batch, according to a federal affidavit.

That amounts to about 2.5 cents a person. In total, Rebollo could have sold about 2 million customer files for a profit of $50,000 to $70,000, according to the Justice Department.

"It could be as many as 2 million, but we're not sure," because some of the data may have overlapped, said Thom Mrozek, spokesman for the U.S. attorney's office in Los Angeles. The investigation is continuing.

Rebollo, 36, pled not guilty on August 25.

Countrywide customers should not panic, said Jay Foley, executive director of the Identity Theft Resource Center. It appears that Rebollo was selling the information to mortgage brokers competing against Countrywide, not to people committing identity theft, he said.

The credit-monitoring service would notify customers of changes to their credit report. Don't ignore that offer, said Eduard F. Goodman, chief privacy officer at Identity Theft 911, which sells identity theft resolution services. "It's one of the best tools, hands down, for having an early recognition if someone has been misusing the information," he said.

Customers who want more protection could add a fraud alert or a security freeze to their credit files by notifying the credit reporting agencies. That way, they would be notified if someone tried to open an account with their information. However, those defenses could also make it more difficult for the customers to get credit cards or loans themselves, the experts said.

"Just because there was a breach doesn't mean you are an identity theft victim, but it does mean that you are much higher risk of becoming one," Goodman said.

(The three major credit bureaus: Equifax, 800-525-6286, http://www.equifax.com; Experian, 888-397-3742, http://www.experian.com, and TransUnion, 800-680-7289, http://www.transunion.com.)

View all comments that have been posted about this article.

© 2008 The Washington Post Company