Cybercrime , Finance & Banking , Fraud Management & Cybercrime

LoanDepot Ransomware Attack: 16.6 Million Customers Affected

Customers 'Sensitive Personal Information' Stolen, Large Mortgage Lender Reports
LoanDepot Ransomware Attack: 16.6 Million Customers Affected
Ransomware-wielding hackers infiltrated the systems of non-bank mortgage lending giant LoanDepot. (Image: Shutterstock)

Non-bank mortgage lending giant LoanDepot said hackers stole information pertaining to nearly 17 million customers when they breached its systems earlier this month.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

LoanDepot first publicly disclosed the ransomware attack on Jan. 8, reporting that it began on Jan. 4. The publicly traded company said attackers had infiltrated its network, gained unauthorized access to information, and encrypted data. In response, the company took multiple systems offline while it probed the attack.

Founded in 2010, the Irvine, California company, which sometimes styles its name loanDepot, services loans worth more than $140 billion and has about 4,500 employees. The company reported third-quarter 2023 revenue of $266 million and an adjusted profit of $18 million.

"This is the latest incident in a series of cyberattacks on the mortgage industry over the past six months, illustrating the importance of cybersecurity in mortgage operations," said William Fricke, senior credit officer for Moody's Investors Service, which rates residential mortgage-backed securitizations.

LoanDepot first quantified the suspected number of data breach victims Monday in a filing to the U.S. Securities and Exchange Commission, reporting that while its breach investigation remains ongoing, the company now believes attackers stole "sensitive personal information" pertaining to 16.6 million customers. LoanDepot said it will directly notify affected customers and offer them prepaid credit monitoring and identity protection services.

LoanDepot declined to comment about if it has attributed the attack to a particular ransomware group, received a ransom demand or paid a ransom in response to the attack.

Following the network intrusion and unauthorized access, LoanDepot said it brought in outside digital forensic and cybersecurity experts to investigate and help remediate the attack. The company said it is continuing to restore systems "as quickly as possible" and is issuing updates via a dedicated website.

The company reported on Thursday that it had restored its MyloanDepot customer portal, through which individuals make or track online loan applications. On Friday, the company said its customer portal and mobile app "are now fully operational."

The company previously reported that "recurring automatic payments continue to process as expected" and said it could still receive ACH payments.

By the time LoanDepot first confirmed falling victim to the ransomware attack, customers had been taking to social media for several days to report being unable to contact the company - one of America's biggest mortgage lenders - or access its website or payment portal to meet their mortgage payment obligations. The company requested that customers instead telephone its loan servicing contact center to make a payment or send payments via the mail.

On Jan. 11, Moody's reported "closely monitoring" the attack "and the impact it may have on approximately 50 Moody's-rated US RMBS transactions, where loanDepot services part or all of the collateral."

"As part of the cyber incident, borrowers are currently unable to log into their online portal on the company website, impacting their ability to make one-time payments through that portal," Moody's Fricke said at the time. "It remains to be seen what impact, if any, this may have on loan delinquency levels in the short term."

This isn't the first time attackers have infiltrated LoanDepot's network and stolen data. In May 2023, the company disclosed that in August 2022, attackers had gained access to information pertaining to 1,361 customers. LoanDepot directly warned affected customers that attackers had gained "unauthorized access to a small number of internal accounts" and may have stolen files containing their personal information, including Social Security numbers.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.