In This Article
Between October 2023 and October 2025, cyberattacks against mortgage lenders exposed the personal data of over 47 million Americans. Mr. Cooper lost 14.7 million customer records. LoanDepot lost 16.9 million. Settlement costs alone exceeded $86.6 million.
Those numbers represent borrowers who trusted their mortgage company with Social Security numbers, bank account details, and financial histories. Every breach breaks that trust. And once broken, trust does not come back easily.
For mortgage companies competing on service and reputation, cybersecurity is no longer an IT line item. It is a trust signal that borrowers, warehouse lenders, and regulators all evaluate before doing business with you. Access Business Technologies manages Microsoft 365 tenants for more than 750 financial institutions as a Tier-1 Direct-Bill Cloud Solution Provider, and the way ABT operates that footprint is what produces the trust signal in the first place.
The Mortgage Breach Epidemic
The mortgage industry has been hit harder than most financial services sectors in the last two years. Here is what the data shows:
| Incident | Date | Records/Data Lost | Cost/Impact |
|---|---|---|---|
| Mr. Cooper | Oct 2023 | 14.7M customer records | $25M+ response costs |
| LoanDepot | Jan 2024 | 16.9M records (ransomware) | $86.6M settlement |
| McLean Mortgage | Oct 2024 | 1TB of loan, payroll, tax files | Black Basta ransomware |
| SitusAMC | Nov 2024 | Vendor breach (JPM, Citi, MS) | Multi-bank exposure |
| Union Home Mortgage | Jun 2025 | SSNs, addresses, passports | 2+ month notification delay |
| Marquis Software | Aug 2025 | 700+ FI customers exposed | Ransom paid, OFAC risk |
The common thread is not sophisticated attacks. Most of these breaches exploited stolen credentials, unpatched systems, or weak access controls. Basic security hygiene would have prevented or limited the damage in every case. For a detailed look at how continual monitoring catches these gaps before attackers do, see our companion article.
Why Cybersecurity Is Now a Trust Signal
Borrowers choosing a mortgage company evaluate rates, service speed, and reputation. Cybersecurity sits underneath all three. A breach disrupts operations, delays closings, and destroys the reputation you spent years building.
Three audiences now evaluate your security posture directly:
Borrowers
A 2025 TransUnion survey found that 29% of consumers in 18 countries reported financial losses due to fraud, averaging $1,747 per incident. Borrowers are paying attention. Companies that can demonstrate strong data protection win the trust comparison.
Warehouse Lenders and Partners
Correspondent and warehouse partners increasingly request security documentation before extending credit lines. Your Microsoft Secure Score, MFA enrollment rate, and incident response plan are all part of that evaluation.
Regulators
The FTC Safeguards Rule requires mortgage lenders to maintain a written information security program, designate a Qualified Individual, enforce MFA, and report breaches affecting 500+ consumers within 30 days. Non-compliance fines run up to $100,000 per violation. The NYDFS levied a $2 million penalty in 2025 for Part 500 violations and can fine up to $250,000 per day for ongoing non-compliance.
The Trust Equation Has Changed
Before 2023, a mortgage company's cybersecurity posture was invisible to borrowers. After 47 million records leaked across five major breaches, security is now a visible trust signal. Borrowers, partners, and insurers all ask the same question: "Can you prove your data is protected?"
Building Trust With M365 Guardian Security Insights
M365 Guardian is the operating model ABT layers on top of the Microsoft 365 tenants it manages for mortgage companies, banks, and credit unions. Guardian Security Insights is the part of that operating model that turns Microsoft's underlying security telemetry into a borrower-facing and examiner-facing trust signal. Mortgage lenders keep their Microsoft 365 licensing and tenant ownership. ABT, as a Tier-1 Direct-Bill Cloud Solution Provider, manages the configuration, monitoring, and reporting layer through delegated administrative access. Four capabilities are what produce the trust signal:
Visible Security Posture. M365 Guardian Security Insights tracks your Microsoft Secure Score across Identity, Devices, Apps, and Data. A score trending from 40% to 90% is a trust signal you can share with partners, insurers, and auditors. It is proof that your security program works.
Proactive Vulnerability Management. Guardian flags stale accounts, MFA gaps, and unmanaged devices before they become attack vectors. The mortgage breaches of 2023-2025 exploited exactly these weaknesses. Closing them proactively is the difference between prevention and crisis response. The Microsoft Entra ID identity layer, paired with Microsoft Intune device compliance, sits underneath that proactive view.
Automated Compliance Documentation. Guardian generates the reports that FTC examiners, auditors, and insurance underwriters request. Compliance prep that used to consume 20 hours per week shrinks to automated delivery. One mortgage company client cut audit preparation time by 50%.
Executive-Ready Reporting. Board members and C-suite leaders receive clear dashboards showing security progress, risk reduction, and compliance status. No technical translation needed. This transparency builds internal confidence and enables faster decision-making.
How Microsoft Defender and Microsoft Sentinel Anchor the Detection Layer
Underneath the Guardian operating model sit two Microsoft products that do the actual detection and response work: Microsoft Defender and Microsoft Sentinel. ABT manages both as part of every mortgage company's Microsoft 365 tenant footprint. The borrower-facing trust signal does not exist without these two layers running and tuned correctly.
Microsoft Defender for Office 365 and Microsoft Defender for Endpoint are the active threat-detection layer. Defender for Office 365 inspects every email a loan officer or processor receives for phishing, impersonation of warehouse lenders, malicious attachments, and links that lead to credential-harvesting pages. The mortgage breaches of 2023-2025 almost all began with a credential-theft email that bypassed weak filters. Defender for Endpoint sits on every laptop and workstation, watching for ransomware behavior, unauthorized PowerShell activity, and lateral movement across the firm's footprint. When ABT enrolls a new mortgage company tenant into M365 Guardian, the first thing the Guardian operating model does is upgrade Defender from default settings to broker-tuned anti-phishing, anti-impersonation, Safe Attachments, and Safe Links policies. That upgrade is what catches the kind of credential-theft email that hit Mr. Cooper and LoanDepot.
Microsoft Sentinel is the SIEM and SOAR layer that turns Defender alerts into a continuous, time-stamped incident timeline. Every Microsoft Entra ID sign-in, every Defender for Endpoint detection, every Microsoft Purview audit event, and every Microsoft Intune compliance change feeds into Sentinel. ABT operates a 24x7 security operations center against that telemetry, with analytic rules tuned to mortgage-specific attack patterns rather than left at vendor defaults. When an examiner asks "show me the evidence trail from the first sign of compromise through containment," Sentinel produces that timeline. When the FTC Safeguards Rule's 30-day breach notification window starts ticking, Sentinel is what tells the firm whether it has a notifiable incident and exactly which customer records were touched. The combination of Defender's detection and Sentinel's correlation is what shrinks the IBM-reported industry average of 241 days to detect and contain a breach down to hours.
The borrower-facing trust signal in a mortgage company is the visible output of a stack of Microsoft products. Microsoft Entra ID supplies identity, MFA, and Conditional Access. Microsoft Intune enforces device compliance across firm-owned and personal devices that loan officers use in the field. Microsoft Defender for Office 365 and Microsoft Defender for Endpoint handle email-borne and endpoint-borne threats. Microsoft Purview Audit and DLP hold the books-and-records side. Microsoft Sentinel aggregates the signals into the SIEM that produces the FTC Safeguards Rule and warehouse-lender evidence trail. M365 Guardian is the ABT-operated layer that applies, monitors, and documents the whole stack across every tenant in the firm's footprint, with a 24x7 security operations center watching the Defender and Sentinel signals every minute of the day.
How Does Your Security Posture Compare?
The average mortgage company Secure Score that ABT encounters on first assessment is below 40%. Where does yours stand?
Get Your Security GradeCybersecurity as Competitive Advantage
Most mortgage companies treat cybersecurity as a cost center. The ones winning market share treat it as a differentiator.
For every dollar not spent on prevention, mortgage companies pay $10 to $50 in breach response costs. Mr. Cooper's breach alone cost $25 million in direct response.
- Attract security-conscious borrowers. When borrowers compare lenders, the company that can articulate its data protection approach wins trust. ABT manages Microsoft 365 tenants for 750+ financial institutions using this approach.
- Strengthen partner relationships. Warehouse lenders extend larger credit lines to partners with documented security programs. A strong Secure Score is financial leverage.
- Lower insurance costs. Cyber insurance premiums correlate directly with security posture. Higher scores mean lower premiums. That saving flows straight to the bottom line.
- Avoid the breach nightmare. The IBM 2025 Cost of a Data Breach Report puts the global average at 241 days to detect and contain a breach. Continual monitoring through Microsoft Sentinel shrinks that window to hours. For a breakdown of how hidden IT complexity drives up breach costs, see our cost analysis.
Your Trust-Building Action Plan
- Check your Secure Score today. In ABT's experience managing Microsoft 365 tenants for 750+ financial institutions, scores below 60% typically indicate significant control gaps that borrowers, partners, and regulators will surface.
- Enforce 100% MFA through Microsoft Entra ID Conditional Access. The FTC Safeguards Rule requires it. Your cyber insurer expects it. Every mortgage breach in the last two years involved credential-based access that MFA would have blocked.
- Clean up stale accounts. Every inactive account is an open door. ABT recommends a 90-day inactivity threshold as a baseline. Disable stale accounts and reclaim the licenses.
- Document your security program. The FTC requires a written information security plan. Having one is the minimum. Having one that produces measurable results from Microsoft Defender and Microsoft Sentinel is the differentiator.
- Make security visible. Share your Secure Score improvement with partners. Include security posture in your marketing. Borrowers trust companies that are transparent about protection.
Start Building Trust Through Stronger Security
Trust is the foundation of mortgage lending. Every borrower who shares financial data with your company is making a trust decision. M365 Guardian Security Insights from ABT gives mortgage companies the tools to earn that trust and prove it to borrowers, partners, regulators, and insurers, with Microsoft Defender and Microsoft Sentinel doing the underlying detection work and ABT's 24x7 security operations center watching the signals.
Frequently Asked Questions
Borrowers share Social Security numbers, bank account details, and financial histories during the mortgage process. A data breach exposes that information and triggers customer churn rates of 18 to 25 percent in financial services. A 2025 TransUnion survey found 29 percent of consumers reported fraud losses averaging $1,747 per incident. Companies that demonstrate strong data protection through visible security metrics build trust that directly influences borrower decisions.
The FTC Safeguards Rule requires mortgage lenders to maintain a written information security program, designate a Qualified Individual to oversee it, conduct periodic written risk assessments, implement MFA for system access, encrypt customer data in transit and at rest, perform annual penetration testing, and report breaches affecting 500 or more consumers within 30 days. Non-compliance can result in fines up to $100,000 per violation.
Recent mortgage breaches have been exceptionally costly. Mr. Cooper's October 2023 breach cost at least $25 million in response. LoanDepot's January 2024 breach led to a $86.6 million settlement. The Marquis Software breach in August 2025 impacted over 700 financial institutions through a single vendor compromise. The industry pattern shows that for every dollar not invested in prevention, mortgage companies pay $10 to $50 in breach response costs.
Yes. Cybersecurity is becoming a competitive differentiator in mortgage lending. Warehouse lenders evaluate security posture before extending credit lines. Borrowers compare data protection practices when choosing lenders. Cyber insurance premiums drop with higher security scores. Companies that can demonstrate a strong Microsoft Secure Score and a documented security program backed by Microsoft Defender and Microsoft Sentinel attract partners, retain borrowers, and reduce operating costs.
M365 Guardian is the operating model that ABT, a Tier-1 Microsoft Cloud Solution Provider, layers on top of the Microsoft 365 tenants it manages for mortgage companies. The Guardian operating model includes broker-tuned policy configuration, 24x7 security operations center coverage, and audit-ready reporting. Microsoft Defender for Office 365 and Microsoft Defender for Endpoint are the underlying detection layer, watching email and endpoints for the credential-theft and ransomware patterns that hit the 2023 to 2025 mortgage breaches. Microsoft Sentinel is the SIEM that correlates Defender alerts with Microsoft Entra ID sign-in events, Microsoft Purview audit logs, and Microsoft Intune device compliance changes into a single time-stamped incident timeline. M365 Guardian Security Insights is the part of the operating model that turns this telemetry into the Secure Score, MFA enrollment, and compliance reporting that borrowers, warehouse lenders, FTC examiners, and cyber insurers actually look at.
