Major mortgage lender loanDepot reported that it was the victim of a cyberattack that forced it to shut down some of its systems Monday in an 8K filing with the Securities and Exchange Commission (SEC).
The loanDepot case was among cyberattacks reported in the financial sector over the past five weeks, along with loanDepot, Fidelity National Financial, LoanCare and Mr. Cooper.
While loanDepot did not call the Jan. 4 incident a ransomware attack, it did say that the unauthorized third-party activity included access to certain company systems and the “encryption of data.” The company, which originated more than $17 billion in loans last year, said it is working with leading cybersecurity experts and has notified applicable regulators and law enforcement authorities.
With loanDepot’s recent disclosure of a cyber incident, it’s yet another reminder that the mortgage and loan industry has been in the crosshairs of cyber threat actors for quite some time, said Yossi Rachman, senior director of security research at Semperis.
Rachman said while details of the attack on loanDepot are scant, they have most likely suffered a ransomware attack that targeted its proprietary data.
“Today, most global heavyweights in the mortgage and loan industry use robust security strategies to protect sensitive data,” said Rachman. “Unfortunately, persistent threat actors will target certain companies and look for gaps in their security architecture until they find a weak spot. In addition, age-old phishing scams are still highly effective in breaching organizations, as hackers send emails to a wide set of employees within a company and wait until someone inadvertently clicks on an attachment with malicious software code.”
New SEC reporting requirements
Given that loanDepot is a publicly traded company, it could be one of the first companies to understand the impact of the new SEC requirements that went into effect last month, explained Piyush Pandey, chief executive officer at Pathlock. Pandey said it’s interesting that the company is still trying to determine whether the incident is “material” or not.
“The challenge is whether this is a ‘material’ incident based on the SEC definition,” said Pandey. “If so, they will have to disclose this in their next 8K report and document their security processes in their 10K at the end of the year.
Pandey added that from a breached company’s perspective, it adds to the stress of responding to a critical event and having to manage the communications to not over/under communicate. However, it’s a “good thing” for the thousands of customers whose data may have been compromised and helps to alert them to stay aware of potential phishing risks.
John Gunn, chief executive officer at Token, said victims act as though they’re doing a public service by not revealing how cybercriminals gained access to their network because this would provide some sort of incredible advantage to future attackers.
“But in reality, 90% of these types of attacks use the same simple phishing methods that rely on social engineering to lure users into clicking on malicious links or opening attachments, and the attack invariably succeeds when the victim-company’s 20-year-old MFA technology is defeated,” said Gunn.