AnnieMac data breach affects 171,000 consumers

Anniemac Home Mortgage is notifying 171,074 consumers of a data breach it experienced in August. 

An unknown actor gained access to the lender's systems and viewed, or copied sensitive customer data between Aug. 21 and Aug. 23, according to a notice with the Office of the Maine Attorney General. In letters to potentially affected customers, the company said names and Social Security numbers may have been compromised. 

The notice was filed Thursday, and another disclosure on Friday identified just over 7,000 Texans impacted.

The hack is the largest disclosed incident at a mortgage lender in months, although one other mortgage firm recently reported a smaller incident. The industry was probably impacted by major events at third party vendors this summer according to cybersecurity experts, although none have publicly addressed any issues. 

"Thanks to our team's vigilance and proactive monitoring, we detected the attack early and acted swiftly to secure our systems, minimizing potential harm, and notifying potentially affected individuals," Annie Mac CEO Joe Panebianco wrote in a statement to National Mortgage News.

"While there is no indication that personal information has been used to commit identity theft or fraud in relation to this event, as part of our unwavering commitment to safeguarding our customers' trusts, we offered credit monitoring and identity theft protection services to potentially affected individuals, free of cost," he added.

Anniemac said it noticed suspicious activity on its network Aug. 23, and promptly responded with assistance from unnamed third-party forensic specialists. The company said it "worked diligently" to notify consumers, and provided them with access to free credit monitoring services for 1 year through data breach response firm CyEx. 

The New Jersey-based lender and servicer is a prominent player in the independent mortgage banking space, with over $2.8 billion in origination volume last year, according to Home Mortgage Disclosure Act data. The business lists 74 active branches and 448 sponsored mortgage loan originators in Nationwide Multistate Licensing System records. 

The company also said it's providing notice to state and federal regulators as necessary, and the three credit reporting agencies. It's unclear which entities Anniemac reported to. Nonbanks are also subject to new rules by the Federal Trade Commission requiring notice no later than 30 days of incidents affecting 500 or more consumers. 

The Anniemac report comes a week after Cherry Hill, New Jersey-based EMM Loans disclosed a February hack affecting 2,313 consumers nationwide. Like most notifications, the company didn't reveal the culprit or type of attack. An investigation determined that some consumers' names, Social Security numbers, driver's license and passport numbers may have been exposed. 

EMM said it offered affected consumers 12 months of complimentary credit monitoring services with Transunion. The originator sponsors 98 MLOs across eight branches nationwide. A representative for the lender didn't immediately respond to a request for comment Friday afternoon.

Businesses often take more time to notify customers of cybersecurity incidents as they gather facts and determine what information may have been compromised. Consumers often respond to such notices with lawsuits accusing firms of negligence for failing to protect their data. 

Mortgage lenders this summer settled similar data breach complaints with plaintiffs. Those payouts vary greatly, depending on the breach: Sage Home Loans recently agreed to a $925,000 settlement; while Loandepot said it's incurred well into eight figures to address the fallout of its massive cyber attack last winter.

For reprint and licensing requests for this article, click here.
Cyber security Mortgage technology Data breaches Technology
MORE FROM NATIONAL MORTGAGE NEWS