Hand on laptop with malware icon showing ransomware attack on mortgage lender

Retail Mortgage Lender loanDepot Disrupted by Ransomware Attack

Irvine, California-based U.S. retail mortgage lender loanDepot disclosed it suffered a ransomware attack that disrupted operations, including loan repayments.

With about 6,000 employees and $140 billion in outstanding loans, loanDepot is the fifth-largest retail mortgage lender, servicing more than 27,000 customers each month.

In an 8-K filing with the U.S. Securities and Exchange Commission (SEC), loanDepot responded to a cybersecurity incident by shutting down some systems to contain the attack, launching an investigation with third-party cyber forensics, and notifying law and regulatory authorities.

Mortgage lender loanDepot confirms ransomware attack

Although the mortgage lender did not describe the incident as a ransomware attack, it confirmed that the attackers encrypted data.

“Though our investigation is ongoing, at this time, the Company has determined that the unauthorized third-party activity included access to certain Company systems and the encryption of data,” loanDepot said.

Subsequently, the mortgage lender responded by deactivating the impacted systems to prevent the attackers from traversing laterally across the entire network.

“In response, the Company shut down certain systems and continues to implement measures to secure its business operations, bring systems back online, and respond to the incident,” loanDepot said.

loanDepot said the ransomware attack disrupted loan repayments via the online servicing portal, although recurring automatic payments were unaffected: “For our loan servicing customers, recurring automatic payments continue to process as expected, but there may be a temporary delay in viewing the posted payment in your payment history.”

The mortgage lender said it was working quickly to restore the affected systems but advised customers to contact its call centers for assistance or mail in their checks accompanied with loan numbers.

Angry customers took to social media with complaints after unsuccessfully trying to pay their mortgages. LoanDepot temporarily halted late fees until January 25, 2024, when payment systems would likely be operational.

It remains unclear if the ransomware attack leaked customer data, which could include extensive personal and financial information required for authorizing mortgages.

“Many industries, including financial services, have data retention requirements for legal, compliance or regulatory reasons,” said Patrick Tiquet, Vice President, Security & Architecture at Keeper Security. “Because of these requirements, it is not uncommon for companies to retain a large amount of past customer data- making them an attractive target for bad actors.”

Typically, threat actors employ double extorting by exfiltrating employee, customer, and corporate data and threatening to auction or publish it online to coerce the organization into paying the ransom.

“Most ransomware attacks now include data exfiltration,” said Roger Grimes, data-driven defense evangelist at KnowBe4. “Does this one, and if so, what was taken? It is only when customers know the answers to these questions can they be reassured that everything possible is being done to best protect them and to prevent another similar attack from happening again.”

Mortgage industry under attack

The loanDepot ransomware attack is the second cyber incident to impact the company in two years. In May 2023, the mortgage lender disclosed an August 2022 cyber attack that leaked customer data after hackers briefly breached a “small number of internal accounts.”

Similarly, a string of data breaches, resulting in personal information disclosure, has rocked the mortgage industry.

In December 2023, the Santa Ana, California-based mortgage lender First American took its systems offline after experiencing a cybersecurity incident that leaked data and encrypted certain “non-production systems.”.

In November 2023, Dallas, Texas-based mortgage lender Mr. Cooper (formerly Nationstar Mortgage LLC) leaked the personal information of 14.7 million customers in an apparent ransomware attack.

Fidelity National Financial (FNF), a title insurance and settlement service provider for the real estate and mortgage industries, suffered a BlackCat ransomware attack in November 2023, exposing the data of 1.3 million customers.