LoanDepot finally reveals what data was exposed in Jan hack

American online mortgage lender loanDepot has finally revealed exactly what sensitive customer information was exposed during a January cyberattack – since claimed by the ALPHV/BlackCat ransomware gang.

The California-based non-bank lender (NBL) Monday provided the Maine Attorney General’s Office a copy of the breach notification letter sent out to those whose data may have been compromised during the attack.

According to the latest numbers, 16,924,071 people have been affected so far. That’s about 300K more individuals than the original amount of 16.6 million filed with the US Securities and Exchange Commission (SEC) on January 8th, about six weeks ago.

In its original SEC 8K filing, loanDepot admitted that some of its data had been "encrypted" in the attack, but did not disclose what that data might be – until now.

“We are writing to inform you of a data security incident in which your sensitive personal information may have been accessed by an unauthorized third party,” the February 23rd breach notification letter states.

loanDepot breach notification letter
loanDepot breach notification letter

LoanDepot said its investigation showed the attack took place from January 3rd through January 5th, with the company first becoming aware of “the unauthorized third party gaining access to certain of our systems” on or about January 4th.

Personally identifiable information (PII) stored in those systems included:

  • Name, address, phone number,
  • Date of birth.
  • Email address,
  • Financial account numbers,
  • Social security number.

It's not clear which financial account numbers the company is referring to (banking, mortgage, etc.), and loanDepot has still not divulged the amount of data that may have been stolen by the attackers.

The loanDeopt cyberattack forced the company to take its systems offline, leaving many frustrated mortgage customers unable to log in or pay their bills for about a week. All loanDepot’s multiple portals and services were fully restored by January 19th, according to the company.

When Cybernews asked loanDepot why it waited six weeks to reveal what customer data was exposed, the company “declined to comment.”

LoanDepot announced in the letter it would provide two years of free identity protection and credit monitoring services for those affected, and will waive all late fees for the time period in question.

Claimed by ALPHV/BlackCat

“Your information is in the final process of being sold. That's all,” the Russian-linked ransomware gang wrote.

ALPHV/BlackCat named the home lender on its leak blog February 16th, accompanied by a lengthy post singling out the company for “cutting corners” and failing to pay up.

ALPHV also called out the online mortgage firm for not disclosing “the full amount of data stolen,” according to its post.

“We downloaded multiple databases from credit bureaus that included personal information about American citizens, even those who had never applied for any of their products From their accesses,” the group said.

loanDepot ALPHV/BlackCat
ALPHV/BlackCat leak site

Furthermore, ALPHV claims loanDepot “withheld information about 4 TB of additional data that included comprehensive client data.”

The gang blamed the so-called failed ransom negotiations on the company’s legal team, insurance underwriters, and being “unable to make up their minds.”

“They offered $6 million for the data and decryptor… we waited over the weekend – a tactic used by negotiators. After the weekend was over, they disappeared,” ALPHV wrote.

Additionally, the gang implied it had sources at the company feeding them inside information.

“The CIO [Chief Information Officer] was 10 steps behind us and was feeding the Executive team false information on purpose. Our insiders at this company informed us that they were being pressured to leave [the negotiations] by their outside counsel,” the post said.

“As their networks were being taken over, they took weeks to make a decision… and finally turned to leave” ALPHV added.

First observed in 2021, ALPHV/BlackCat is known to operate as a ransomware-as-a-service (RaaS) model by selling malware subscriptions to criminals.

The group was tracked by ReliaQuest as the third most active ransomware cartel operating in Q3 2023 carrying out hundreds of attacks and causing an estimated loss of over $1 billion alone in 2023.

Known for its triple-extortion tactics, the gang was responsible for the September ransomware attacks on the Las Vegas casino giants MGM Resorts, as well as Caesars International, who is rumored to have paid a $15 million ransom to keep operations running.