Top-15 U.S. mortgage lender loanDepot confirmed Monday morning that it is the industry’s latest cyberattack victim. The incident has brought loanDepot’s systems down.
The California-based lender, which originated roughly $17 billion in mortgage loans from January to September 2023, said it has launched an investigation with the support of cybersecurity experts. It has also begun notifying regulators after it identified an incident that has affected company systems and the encryption of data.
“The company shut down certain systems and continues to implement measures to secure its business operations, bring systems back online and respond to the incident,” loanDepot said in an 8-K filing with the Securities and Exchange Commission (SEC).
The document mentions the date of earliest event reported as Jan. 4, 2023. The company added that it will continue to assess the impact of the incident.
Customers faced difficulties accessing systems during the weekend, according to social media posts. loanDepot’s servicing portfolio reached about $144 billion as of Sept. 30, 2023.
On its servicing website, the company notes to customers that “recurring automatic payments are processing as expected.” Still, there may be a temporary delay in viewing the posted payment in customers’ payment history. It directs customers to make payments by phone or mail.
A spokesperson for loanDepot directed HousingWire to the SEC filing and a company statement on an incident report website it recently created.
“We have taken certain systems offline and are working diligently to restore normal business operations as quickly as possible. We are working quickly to understand the extent of the incident and taking steps to minimize its impact.”
Several big companies in the mortgage space have become targets of cyberattacks in recent months.
In late November, Fidelity National Financial suffered a ransomware attack that took its systems offline for a few days, claimed by the gang AlphV/BlackCat. Teneika Tillis filed a class action lawsuit against Fidelity and its subservicer Loancare, alleging they were negligent with customer data.
In December, First American, another title insurance provider, faced a cyberattack that affected its services, including title insurance, escrow, mortgage transactions and technology for the real estate and mortgage industries.
LoanDepot has also been the victim of a prior cybersecurity attack. In April 2023, loanDepot told the New Hampshire Attorney General’s Office that it had sustained a phishing attack in early August 2022.
Joseph Grassi, loanDepot’s chief risk officer, told New Hampshire authorities that attackers were able to gain access the email accounts of four employees. The company said the incident was resolved within three hours and a subsequent forensic investigation concluded that “the threat actors did not access any additional parts of the network, or any data outside of the four email accounts. The investigation did not identify any evidence that the threat actors created mailbox rules, sent personal information from the affected accounts, or moved or deleted data. The investigation indicated, however, that some personal information could have been accessed or acquired by the threat actors during the incident.”
Grassi told state officials that loanDepot manually reviewed 42,440 documents from the exposed email accounts for the presence of personal information, which indicated 1,364 impacted individuals nationwide (including one in New Hampshire).
“The process of identifying the potentially affected individuals took time to complete due to material personnel changes at loanDepot during the breach response, and because of the volume and nature of data (including images and handwritten documents) that had to be manually reviewed, formatted, and cataloged,” Grassi wrote.
Grassi told New Hampshire authorities that loanDepot had not observed any evidence that “the data has been made public or has been otherwise misused.”