Major U.S. mortgage lender loanDepot notified nearly 17 million customers that their data, including Social Security numbers, may have been stolen in a cyberattack in January.
LoanDepot, which also offers personal loans, said in a breach disclosure published by the Office of the Maine Attorney General on Friday that an unauthorized third party accessed the data in company systems between Jan. 3 and Jan. 5, and that the incident was first detected on Jan. 4.
The compromised data included names, addresses, email addresses, financial account numbers, Social Security numbers, phone numbers and dates of birth, according to a sample notification letter provided by loanDepot to the Maine attorney general.
ALPHV/BlackCat claims responsibility for loanDepot breach
The lender previously disclosed to the U.S. Securities and Exchange Commission (SEC) in a Jan. 4 Form 8-K filing that the cyberattack included “encryption of data,” suggesting that ransomware was involved.
The loanDepot breach was claimed by ransomware gang ALPHV/BlackCat on Feb. 16, which also claimed a ransomware attack against Prudential Financial on the same day.
ALPHV/BlackCat claimed negotiations with loanDepot included a proposed $6 million ransom payment, although claims made by the criminal group should not be taken at face value, The Register reported. ALPHV/BlackCat also alleged loanDepot employed “stalling tactics” during negotiations and ultimately stopped responding to the group.
"This breach at LoanDepot is a stark reminder of the far-reaching consequences of ransomware attacks. It's concerning to see the scale and sensitivity of the data involved, particularly the inclusion of Social Security numbers, which opens up a Pandora's box of identity theft and financial fraud possibilities," Javvad Malik, lead security awareness advocate at KnowBe4, told SC Media in an email.
SC Media reached out to loanDepot with questions about the number of customer Social Security numbers leaked, ALPHV/BlackCat's claims and its plans to prevent future attacks. A loanDepot spokesperson said the company declined to comment.
"This incident underscores the critical need for organizations, especially those holding vast amounts of personal information, to invest in robust cybersecurity measures, including threat detection, response strategies, and most importantly, providing employees with timely and relevant security awareness and training," Malik added.
The cyberattack on loanDepot took place nearly a month after the FBI disrupted ALPHV/BlackCat’s operations, temporarily disabling the ransomware-as-a-service (RaaS) group’s website and creating a decryptor to help more than 500 victims recover their files. The group reemerged shortly after the disruption, saying it would allow its affiliates to target critical infrastructure in retaliation.
The U.S. Department of State is currently offering rewards of up to $15 million total for information about ALPHV/BlackCat leaders and affiliates.
Financial service breaches doubled in 2023
The latest breach notification increases the tally of affected loanDepot customers from the 16.6 million reported on Jan. 22 to more than 16.9 million. LoanDepot is offering all affected customers two years of free credit monitoring and identity theft protection through Experian.
"Furthermore, impacted customers should also be notified that their stolen information could be used to launch phishing or other social-engineering attacks against them. Customers should remain vigilant, particularly when contacted by anyone claiming to be from LoanDepot," Malik noted.
“Unfortunately, we live in a world where these types of attacks are increasingly frequent and sophisticated, and our industry has not been spared. We sincerely regret any impact to our customers,” loanDepot CEO Frank Martell said in a Jan. 22 statement.
The latest breach continues a trend of increasing cyberattacks on companies that provide loans and other financial services.
The financial services industry suffered the second highest number of data compromises in 2023, just behind healthcare, according to the Identity Theft Resource Center’s 2023 Data Breach Report. Additionally, the number of data breaches in the financial services sector more than doubled in 2023 compared with 2022, with 744 compromises last year and only 269 the previous year.
Cyberattacks on financial services companies in the last few months include the Prudential Financial and Fidelity National Financial breaches, which were also claimed by ALPHV/BlackCat, and the Mr. Cooper breach, which impacted more than 14.6 million current and former customers.
More than 2.7 million Mr. Cooper customers also affected by a data leak resulting from the exposure of an unsecured Google Cloud storage bucket discovered by Cybernews in late December, although this leak is not believed to be connected to the prior cyberattack.
Recent regulatory actions also put more pressure on financial service firms to prevent cyberattacks and disclose them promptly when they occur.
New SEC rules, which went into effect on Dec. 18, require all large publicly traded companies to report “material” cyber incidents within four business days of their discovery.
In November, Morgan Stanley reached an agreement with the attorneys general of six U.S. states to pay a $6.5 million fine for security failures leading to a data leak exposing millions of customers’ sensitive information, in violation of several state data privacy laws.
Furthermore, non-banking financial institutions will be required, beginning on May 13, 2024, to report certain data breaches to the Federal Trade Commission (FTC) “as soon as possible,” and no later than 30 days after the discovery of a breach, due to an amendment to the FTC’s Safeguards Rule that was approved in October 2023.
