loanDepot, one of the nation’s top mortgage lenders by volume, is the latest target of a cybersecurity attack that forced the company to shut down some of its systems Monday, according to an 8-K filing with the U.S. Securities and Exchange Commission.
The Irvine, California-based lender said it first became aware of the cyber attack on Jan. 4, 2024, telling federal regulators it took steps to contain and respond to the incident.
As of this writing, loanDepot’s customer portal was still down, and the lender is directing customers to pay their mortgage by phone. Several customers took to social media to vent their frustrations with the lender over their inability to make regular monthly mortgage payments or access their accounts online.
From January to September 2023, loanDepot originated more than $17 billion in loan volume and held a servicing portfolio of nearly $144 million as of Sept. 30, according to its third quarter 2023 financial results.
“Though our investigation is ongoing, at this time, the Company has determined that the unauthorized third party activity included access to certain Company systems and the encryption of data,” loanDepot told federal regulators.
“In response, the Company shut down certain systems and continues to implement measures to secure its business operations, bring systems back online and respond to the incident.”
The reference to data encryption points to a potential ransomware attack, though loanDepot hasn’t disclosed the exact nature of the incident or how many customers might be impacted.
When reached by email Monday for comment, a loanDepot spokesperson referred media to a cybersecurity incident webpage that acknowledges the company took certain systems offline and is “working diligently to restore normal business operations as quickly as possible.”
“We are working quickly to understand the extent of the incident and taking steps to minimize its impact,” the statement reads. “The Company has retained leading forensics experts to aid in our investigation and is working with law enforcement. We sincerely apologize for any impacts to our customers and we are focused on resolving these matters as soon as possible.”
Cyber attacks hit housing industry hard in recent months
A recent string of cyberattacks on housing-related companies underscores the high stakes involved when millions of customers’ data is compromised. Here’s a snapshot of some recent high-profile cybersecurity breaches:
- First American Title, another leading title insurance and settlement firm, also fell victim to a cyberattack in December that took its systems offline for two weeks. The attack came just one month after the company agreed to a $1 million settlement with the New York State Department of Financial Services for cybersecurity violations that led to a data breach in 2019. In addition to the steep penalty, First American pledged to enact “significant remedial measures to better secure consumer data.”
- Fidelity National Financial, one of the nation’s largest title insurance agencies, was hit with a ransomware attack in November, shutting its systems down for more than a week. The personal data of more than 1.3 million customers was compromised.
- Mr. Cooper, a mortgage lender and servicer, told federal regulators in December that criminals stole the personal data of 14.7 million past and present customers in an October cyber attack.
- MLS provider Rapattoni reported a cyberattack in August that took 23 MLSs around the country offline. The incident brought real estate listings (and many transactions) to a halt in those markets for two weeks.
Numerous class-action lawsuits have been filed against Fidelity and Mr. Cooper in the wake of those breaches. The lawsuits accuse the companies of not doing enough to adequately secure their systems and protect customers’ data.
Data breaches are costly for consumers and businesses, and the incidents lead to enhanced public scrutiny over whether or not companies are doing enough to protect their customers’ data.
The global average cost of a data breach reached a record high of $4.45 million in 2023, according to IBM’s 2023 Cost of a Data Breach report. That’s up 2.3% from $4.35 million in 2022, however, it’s a 15.3% jump from $3.86 million in 2020, IBM reported.
“As was the case in 2022 and 2021, customer [personal identifiable information] was the most commonly breached record type in 2023. 52% of all breaches involved some form of customer PII. This is an increase of five percentage points from 2022, when customer PII accounted for 47% of all data compromised,” according to IBM’s report.