News that Planet Home Lending experienced a cyberattack by the LockBit ransomware group leveraging the Citrix Bleed flaw has come out in dribs and drabs.
The cyberattack last fall was first reported by a personal injury law firm in late January, but the tech press picked up on the news Feb. 12 after ClassAction.org said Planet Home faced a class action lawsuit based on the incident on Feb. 6.
The crux of the matter is that Planet Home Lending sent out a letter to customers Jan. 24 explaining that the personal information of its customers was breached in connection with one of the LockBit ransomware group’s recent campaigns.
It was the second time in the past several months Planet Home had to report a serious breach. The first was late last summer, when the company disclosed it was impacted by the MoveIT vulnerability.
In excess of 200,000 customers were reportedly affected in the most recent breach. The threat actors obtained names, addresses, Social Security numbers, loan numbers, and financial account numbers.
Planet Home’s letter said the root cause of the incident was the Citrix Bleed vulnerability that affected software in NetScaler ADC and Gateway appliances from Citrix Systems.
“While Planet had implemented multiple layers of security tools designed to prevent this type of unauthorized access, the threat actor was able to exploit this Citrix Bleed vulnerability to bypass these protections,” the letter said.
According to Planet Home, the attack happened on Nov. 15, and Planet Home became aware of the incident on the same day. Upon discovery, the company retained an outside forensics firm to conduct an investigation into the cause and impact of the breach. By Nov. 28, Planet was able to determine with “reasonable certainty” that the threat actor accessed a read-only data folder in which copies of loan files containing personally identifiable information of some of its customers were stored.
Planet Home notified the FBI about the incident and said in the letter that “in accordance with the standard recommendation of the FBI and financial regulators, we have not paid, and do not anticipate paying, any ransom amount to the threat actor.”
A spokesperson said Planet Home's operations were not adversely impacted and that the company has implemented additional safeguards to prevent future incidents. The company has offered 24 months of complimentary credit monitoring and identity protection services to those whose data was impacted.
Customer data makes financial industries a large target
Ashley Leonard, chief executive officer at Syxsense, said financial institutions will always be a target of cyberattacks because of the data they have and the need for high availability.
“If a bank’s operations are taken down, it can’t transact and make money, like in the case of Fidelity National Financial and now Planet Home,” explained Leonard.
Leonard added that the Citrix Bleed vulnerability has been incredibly difficult to mitigate, even for organizations that have patched their systems. Part of the attack path in exploiting this vulnerability is to leverage stolen credentials and bypass multi-factor authentication, said Leonard, “and once they have done that, they’re moving laterally throughout the network, making it difficult to find and root out.”
Patrick Tiquet, vice president, security and architecture at Keeper Security, said cybercriminals are drawn to the real estate and finance industries like magnets, enticed by the massive financial transactions and the treasure trove of sensitive personal information they can exploit.
“Many of these industries have data retention requirements for legal, compliance or regulatory reasons,” explained Tiquet. “Because of these requirements, it’s not uncommon for companies to retain a large amount of past customer data — increasing the size of target on their backs. Cybercriminals are always going to pursue the industries that offer high financial gain, like the housing and mortgage industries.”
