Fairway hit with cyber attack in December

Fairway Independent Mortgage Corporation was hit with a data breach at the end of last year because of a third-party bug, a notice filed with the Attorney General of Massachusetts shows.

In Massachusetts, 430 customers were impacted by the cyber attack, which exposed their Social Security numbers, bank account information, credit card account numbers and other personal identifiable information, the lender disclosed Feb. 23. It remains unclear how many customers were affected nationwide. 

Two law firms, Turke & Strauss LLP and Console & Associates, P.C., have issued notices urging customers impacted to reach out, opening the door for future litigation. This could add to an already hefty line up of pending class action suits facing other lenders over recent data breaches.

On Feb. 2, Fairway started informing its customers of the event that was discovered Dec. 4.

The breach began Oct. 23 and ended Nov. 4, documents show.

In its notice, Fairway mentions the hack occurred due to a vulnerability in the vendor it uses.

It did not divulge the name of the third party. Though a filing with the Attorney General of Massachusetts confirms the third party was Citrix Systems.

Following the attack, Fairway "promptly implemented the patch after it was released by the developer to rectify the newly identified vulnerability," wrote Bryan Ramsey, assistant vice president of information security incident response at Fairway, in a notice to customers in early February.

"Although the engagement of a third-party security firm was initiated for the expeditious analysis of the data to identify impacted customers, it took an extended duration for the firm to uncover the relevant information," he added.

The mortgage lender is offering two years of complimentary identity monitoring services through Experian, it said in its notice.

Fairway declined to respond to a request for comment.

A similar situation unfolded at Planet Home Lending late last year. 

According to the lender, a hack, which compromised the Social Security numbers of close to 300,000 Planet Home Lending customers, occurred due to a vulnerability in its information security systems purchased from Citrix Systems.

The Citrix vulnerability was first discovered in August and the tech firm began releasing software updates in early October, according to the Cybersecurity and Infrastructure Security Agency. The exploit, known as "Citrix Bleed," allows hackers to bypass multi-factor authentication to hijack user sessions for Citrix's NetScaler ADC and Gateway information security software.

The mortgage company noted prolific hackers LockBit used said vulnerability to bypass its protections and steal customer data. Planet faces at least six class action suits as a result of the breach.

On Feb. 20, the Department of Justice and the United Kingdom announced they disrupted LockBit's operations by seizing control of servers used by the online gang.