Countrywide Financial Corp. is contacting customers in Utah and the rest of the nation to alert them of a security breach possibly affecting as many as 2 million people.

In a letter this week, Countrywide said that an employee may have sold unauthorized personal information to a third party. The information includes names, addresses, Social Security numbers, mortgage loan numbers and other loan and application information.

The information was being sold to mortgage brokers to be used as sales leads, federal authorities said in August.

The employee has been fired and Countrywide has apologized to customers.

Connecticut Attorney General Richard Blumenthal has pegged the figure of affected customers at about 2 million, with more than 28,000 Connecticut residents affected over a two-year period.

Countrywide representative Jumana Bauwens said Wednesday that Countrywide has no evidence to indicate that any customer has been a victim of identity theft or fraud because of the security breach.

Bauwens said the breach was reported in August and that Countrywide investigators are continuing to work with the FBI in its investigation.

"We cannot comment further on the investigation at this time," Bauwens said.

Asked about the number of people in Utah and nationwide affected by the breach, Bauwens again declined to comment: "Since this is an ongoing investigation, we are unable to get into the specifics of the case."

In its letter to customers, Countrywide, based in Calabasas, Calif., said current mortgage holders' accounts will be monitored and mortgage holders would be contacted if any suspicious or unauthorized activity is detected. The company also said it would work with mortgage holders to resolve unauthorized transactions on their accounts related to the incident "if reported to us in a timely manner."

The company also has arranged for free credit monitoring services for the next two years through a two-year membership in's Triple Advantage Credit Monitoring, although customers need to enter activation codes online to enroll. The enrollment period lasts 90 days.

The company also is urging customers to contact the major credit bureaus and place a fraud alert on their credit reports, review recent account activity, and be vigilant when reviewing monthly credit card and other account statements for unauthorized charges over the next year or two.

Two Countrywide customers last month sued the lender and its parent company in U.S. District Court in Los Angeles, accusing Countrywide and Bank of America of failing to protect customers' sensitive information, according to the Los Angeles Times. The lawsuit asks that it be certified as a class action.

E-mail: [email protected]