LoanDepot says it quickly shut down a hack last August

Lender and servicer LoanDepot quickly shut down a data breach last August, it said.

LoanDepot said 1,361 customers nationwide had personal information including Social Security numbers exposed in the cyber attack, according to a notice filed Monday with the Office of the Maine Attorney General. It's a small breach compared to recent hacks at other mortgage firms, but a rare disclosure from one of the nation's top home loan players.

"LoanDepot identified brief unauthorized access to a small number of internal accounts; this access was terminated and the incident was remediated within three hours," wrote Joseph Grassi, chief risk officer, in a letter distributed to affected consumers in Maine.

The company in a statement Monday said there is no evidence any personal information was misused, and the unauthorized access was limited in scope and duration.

The attack occurred Aug. 2, 2022, according to the Maine notice, and was discovered the next day when loanDepot observed "anomalous activity" within its network. The lender also reported the breach to unnamed regulators, it said. 

The company offered impacted consumers free two-year membership of an identity theft resolution program from Experian.

The nation's top independent mortgage banks rarely disclose data breaches, although reporting and length of time between a hack and consumer announcement varies widely across the country. Rocket Mortgage in November 2021 reported a small attack that occurred three months earlier when an employee's email inbox was compromised, impacting information for 133 people nationwide, according to a notice filed in Maine.

In a recent example of uneven reporting requirements, Carrington Mortgage Services did not reveal a ransomware attack at a vendor impacting at least 50,690 customers in Maine but filed disclosures in Massachusetts, Texas and Washington. Depositories meanwhile will be subject to more stringent reporting requirements in the coming years after a Congressional bill passed last spring.

Other smaller but prominent lenders and servicers meanwhile have been walloped by large cyber attacks in the past 18 months, affecting a combined millions of consumers. More than 1.5 million customers were impacted in a breach at Flagstar Bank in December 2021, while over 4 million people were affected by a hack at a trio of Bayview Asset Management-owned servicers. Fintechs have also been hit, including 86,000 users of mortgage lender Lower.

Victims of the Flagstar, Lower and Bayview breaches have also filed class action suits against the firms, accusing them of lax cyber security measures and delayed notices, among other claims.