On Q reveals cyber incident affecting more than 200K

Another cyber hack has hit a mortgage lender, with the latest exposing personal data of over 200,000 people.    

On Q Financial reported details of the security incident in a filing with the Office of the Maine Attorney General last week, initially learning of "suspicious activity" on Feb. 20 coming through vulnerabilities in the software program Screenconnect. The application is used for remote access to the On Q computer network. 

Upon notification, On Q began an immediate investigation and installation of a patch to the Screenconnect software, which is owned by Connectwise, before discovering data had been compromised. 

"On March 14, 2023, the investigation determined that the Connectwise vulnerability permitted an unknown individual to gain access to our computer network and the personal information of some of our clients was exfiltrated from our network," the company wrote in a letter sent to affected customers.

Personal identifiable data, including names and Social Security numbers, belonging to 211,650 individuals nationwide were found to have been exfiltrated, the filing stated.

In its letter, the company said it would offer a year of credit monitoring and fraud assistance services from Transunion subsidiary Cyberscout but said it saw no evidence personal data had been misused thus far. 

Neither On Q Financial nor its legal representatives responded to a request for comment on Thursday. Last year, the Scottsdale, Arizona-based lender originated $692.5 million worth of loans, with the majority of business coming from the Western U.S., according to S&P Global. The company is licensed in 44 states and the District of Columbia.

The latest cyber hack announcement is one of dozens of attacks to have hit mortgage lenders, servicers and title insurance agencies of all sizes in 2023 and 2024. On multiple occasions, including breaches involving Planet Home Lending and Carrington Mortgage Services, fraudsters similarly gained access to company systems and data through vendor software, pointing to increasing risk found in third-party vulnerabilities. 

Other incidents were proven or alleged to be ransomware attacks, where cyber criminals deny victims access to their data until a designated sum of money is paid.

The wave of cybersecurity events affecting the mortgage industry is shining the spotlight on fraud reporting, contributing to a recent call from Ginnie Mae for timely notifications after they happen. The order was announced in an effort to ensure Ginnie Mae issuers are able to meet their obligations to investors and minimize impact to mortgage stakeholders. 

News of On Q's filing quickly caught the attention of attorneys around the country this week, paving the way for likely future litigation. On Wednesday, Oklahoma City law firm Federman & Sherwood said it had begun an investigation into the data hack and asked for victims to come forward to discuss potential legal action.