Virginia-based WEI Mortgage disclosed this week that is the victim of a data breach that may have exposed the highly sensitive personal information of the lender’s customers.

WEI Mortgage, which is a subsidiary of Arc Home, revealed Monday that it discovered in September 2017 that one of its employees was the victim of a phishing scheme, which ultimately gained access to the employee’s account and perhaps other accounts.

According to the lender, with access to the email accounts in question, the hacker (or hackers) may have had access to numerous pieces of personal information including: Social Security number, date of birth, address, driver’s license or state identification number, passport number, bank account information, credit or debit card information, tax identification number, username and password, loan package information, and name.

The lender said that on approximately Sept. 20, 2017, it became aware of “unusual activity” tied to one employee’s email account.

After receiving the reports about the unusual activity, WEI began investigating to verify the security of its network and to determine the nature and scope of the potential breach.

The lender said that it engaged third-party forensic investigators, which determined that the company was the target of an email phishing attack that resulted in unauthorized access to certain employee email accounts.

Based upon the evidence found during the investigation, the lender determined that these email accounts were subject to unauthorized access between Sept. 13 and Sept. 28, 2017.

The lender cautions that its investigation found no evidence of actual or attempted misuse of personal information thus far, but the investigation showed that some personal information was present in the impacted email accounts at the time of the incident.

WEI said that the amount of personal information that was present in the impacted accounts varies by individual, but some of the above information was potentially exposed to hackers.

WEI also did not reveal the size of the breach or the number of potentially affected customers.

Additionally, health insurance information, health insurance group number, and health insurance member number of certain individual may have been exposed.

As for what the lender is doing now, WEI said that it takes the security of personal information “very seriously.”  The company said that it is “working diligently” to educate its employees about phishing scams and to confirm the ongoing security of its networks. 

WEI said that law enforcement was also notified of the breach, as well as applicable state regulators, as required by law. 

Additionally, the lender said that it is offering access to 24 months of credit monitoring and identity theft restoration services through AllClear ID to all affected individuals at no cost to them.