successful access. Accordingly, Employee’s username and password alone were not
sufficient to provide the cyber criminal with remote access to her email account and its
contents. To allow access, Employee also had to provide a second means of authentication.
In this instance, Employee did so by tapping the screen of her smartphone to give her
approval in response to an alert from an MFA application on her phone; notice that someone
was seeking approval to login to her email account.
8. On the evening of March 5, 2019, Employee tapped her phone screen four
times to provide authentication and permit remote access to her email account. Employee
granted access even though her workday was over and she was not, herself, attempting to
access her own email account. The following day, after the fifth such prompt for
authentication, Employee notified Residential Mortgage’s Information Technology (“IT”)
staff of the anomalous activity.
Residential Mortgage’s Failures to Investigate and Provide Requisite Notice
9. The internal investigation conducted by Residential Mortgage in response to
the Cybersecurity Event was inadequate. Residential Mortgage’s IT staff immediately
determined that a cyber intruder had accessed Employee’s email account on four occasions
between March 5 and 6, 2019, nominally from an IP address originated in South Africa,
and blocked further access. The IT staff then failed to conduct any further inquiry after
concluding that the unauthorized access was limited to Employee’s email account. This
failure was especially egregious given Employee’s daily handling of the private data of
An Internet Protocol address, or IP address, is a unique set of numbers that can identify an internet device, such
as a phone or computer. An IP address can be used to obtain an IP Geolocation, which identifies the
geographical location from which the internet device is communicating. Cyber criminals, however, frequently
hide their true IP addresses and geolocations by routing communication through a VPN, or Virtual Private
Network. In this manner, a true IP address can be concealed.