Loandepot latest victim of a cyberattack

Loandepot was hit by a cyberattack, the company announced Monday.

The top-ranked mortgage lender "determined that the unauthorized third-party activity included access to certain company systems and the encryption of data," per a filing with the Securities and Exchange Commission dated Jan. 4. As a result, it took some operations offline.

The company did not provide specifics regarding when it identified the cybersecurity breach, but said that upon detecting unauthorized activity, it "launched an investigation with assistance from leading cybersecurity experts, and began the process of notifying applicable regulators and law enforcement."

"[We are] working diligently to restore normal business operations as quickly as possible," the lender wrote on its website. The company declined to immediately provide further details.

Loandepot's breach is the latest in a string of cyberattacks on companies in the financial services space, including mortgage lender and servicer Mr. Cooper, First American Financial and Fidelity National Financial.

One of the common themes in almost all of the other attacks is that personal identifiable information has been compromised. Fidelity revealed that PII, including Social Security numbers of 1,316,938 customers were exposed in the cyber attack, which occurred on Nov. 19. Meanwhile, Mr. Cooper's breach exposed the Social Security numbers of 14.7 million customers, a data-breach notification filed in Maine shows. Both companies are facing class action suits related to the data breaches.

Reporting these larger incidents will become broadly mandatory for mortgage shops later this year because the Federal Trade Commission voted unanimously in October to approve an amendment to its Safeguards Rule to include nonbank financial institutions

The FTC's rule requires nonbanks to notify the agency no later than 30 days after they discover a breach involving the information of at least 500 consumers. The agency defines incidents as events where third parties acquired unencrypted customer data without authorization. 

The notices must include information about the breach, such as the number of consumers either affected or potentially impacted. The reporting requirement goes into effect April 27, 2024.

For reprint and licensing requests for this article, click here.
Industry News Cyber attacks Mortgage technology Cyber security
MORE FROM NATIONAL MORTGAGE NEWS