Academy Mortgage allegedly targeted by ransomware gang

A ransomware gang is allegedly preparing to release a swath of customer data from Academy Mortgage after the lender refused to pay them in a data breach.

AlphV, or Black Cat, claims to have hacked Academy "for a long time" and is threatening to publish an undisclosed amount of the company's information, according to a post on Sunday on its dark web blog. The hackers are threatening to post "high credit scores" and banking information for Academy's borrowers within 2-3 days because of the company's alleged refusal to pay a ransom.

"Considering the recent underwriting fraud case that your company faced in December, a privacy data breach could have a devastating impact on your reputation and credibility," read a post by the group, shared on the internet by cybersecurity outlets. "Such a breach could cause severe damage to public trust and lead to significant financial losses."

The alleged threat refers to Academy's $38.5 million settlement in December with the government over alleged False Claims Act violations. If confirmed, this would be the second public ransomware attack on a mortgage company this year, after servicer Carrington Mortgage Services reported an incident at its technology vendor perpetrated by the Hive Ransomware group.

Academy didn't respond to a request for comment Tuesday.

The ransomware gang's post included images of purported Academy financial documents with some redactions. The news was first reported by blog DataBreaches.net and a similar screenshot was shared on Twitter by a blog from a cybersecurity firm. The Black Cat blog on the dark net was down when accessed by a reporter Tuesday.

The FBI advises companies not to pay ransoms, because a payment doesn't guarantee data recovery and could encourage further attacks. 

Draper, Utah-based Academy originated $7.4 billion in over 21,000 residential loans last year, largely across the West Coast, according to data gathered by financial firm S&P Global. The lender, which provides conventional, government-sponsored and jumbo loans, among other products, was founded in 1988 and counts 2,395 employees on LinkedIn.

The firm was accused in a 2016 whistleblower lawsuit of having deficiencies in underwriting the creditworthiness of borrowers between 2008 and 2017. Its settlement, in which it does not admit wrongdoing, also paid $11.5 million to the whistleblower, Glen Thrower. 

Lenders including depositories and independent mortgage bankers have been hit with cyber attacks impacting over 200,000 consumers since the beginning of the year, according to disclosures filed with the Office of the Maine Attorney General.