Leading U.S. mortgage lender loanDepot confirmed today that a cyber incident disclosed over the weekend was a ransomware attack that led to data encryption.
loanDepot is a major nonbank mortgage lender in the United States, with over $140 billion in serviced loans and roughly 6,000 employees.
Customers began experiencing issues on Saturday when trying to log in to loanDepot’s payment portal to pay loans or contact them by phone.
“loanDepot is experiencing a cyber incident. We have taken certain systems offline and are working diligently to restore normal business operations as quickly as possible,” the company told BleepingComputer over the weekend. “We are working quickly to understand the extent of the incident and taking steps to minimize its impact.”
After detecting the security breach, loanDepot started an investigation with the help of external cybersecurity experts and began notifying relevant regulators and law enforcement agencies.
Following the attack, the company informed customers via social media that recurring automatic payments would still be processed, although delayed before they appear in the payment history.
However, making new payments using the servicing portal will not be possible, and affected customers are advised to reach out to the call center for assistance.
Tagged as a ransomware attack
As the loanDepot revealed today in an 8-K filing with the U.S. Securities and Exchange Commission, the attackers also encrypted files on compromised devices, but it’s unclear which ransomware group was behind the attack.
The breach also forced loanDepot to shut down some of its systems to block the attackers’ access to other devices on its network.
“Though our investigation is ongoing, at this time, the Company has determined that the unauthorized third party activity included access to certain Company systems and the encryption of data,” it said.
“The Company will continue to assess the impact of the incident and whether the incident may have a material impact on the Company.”
While loanDepot only mentions that the threat actors gained access to systems and encrypted files, ransomware gangs now also commonly steal corporate and customer data during breaches to use as leverage when pressuring victims into paying a ransom.
Given that loanDepot holds sensitive customer data like financial and bank account information, those affected by the breach should be vigilant against potential phishing attacks and identity theft attempts.
In May 2023, loanDepot disclosed a data breach resulting from a cyberattack in August 2022 that exposed customer data.
Mortgage lending giant Mr. Cooper also suffered a cyberattack in November 2023, which led to a data breach that exposed the personal data of 14.7 million customers.
Similarly, First American Financial Corporation, one of the target U.S. title insurance companies, took some of its systems offline before Christmas to contain the impact of a cyberattack.