Planet Home Lending blames hack on vendor vulnerability

Planet Home Lending says a ransomware attack last fall compromised the Social Security numbers of 199,873 customers.

The hack exploited vulnerabilities in Planet Home Lending's information security systems purchased from technology firm Citrix Systems, the lender said last week in a notice to the Office of the Maine Attorney General. The breach occurred Nov. 15, 2023, and Planet Home Lending said it discovered the intrusion the same day.

"Planet was able to determine with reasonable certainty that the threat actor accessed a read-only data folder, in which copies of loan files containing personally identifiable information of some of its customers were stored," the firm said in a consumer notice dated Jan. 24.

The personally identifiable information compromised includes customers' names, addresses, SSNs, loan numbers and financial account numbers. 

The lender said it doesn't anticipate paying a ransom to the culprit in accordance with industry guidance; a ransom demand was not specified. The November hack is unrelated to Planet Home Lending's exposure in a different ransomware gang's vendor breach last June. 

Neither the company nor an attorney who filed the Maine disclosure responded to requests for comment Monday. 

The Citrix vulnerability was first discovered in August and the tech firm began releasing software updates in early October, according to the Cybersecurity and Infrastructure Security Agency. The exploit, known as "Citrix Bleed," allows hackers to bypass multi-factor authentication to hijack user sessions for Citrix's NetScaler ADC and Gateway information security softwares.

Planet Home Lending said prolific hackers LockBit were able to bypass its protections, although it didn't disclose further details around its security tools in place both before and after the incident. The company notified the FBI and hired a third-party consultant to perform a risk assessment of its systems. 

The lender claims there's no evidence of misuse of data and is providing affected consumers 24 months of complimentary credit monitoring and identity theft protection services through Experian's IdentityWorks. It's also offering up to $1 million in identity theft insurance, underwritten by Assurant-operated American Bankers Insurance Company of Florida.

Planet Home Lending originated over $950 million in loan volume last year through September, according to data from S&P Global. The Meriden, Connecticut-based company ended last year with 179 sponsored mortgage loan originators, Nationwide Multistate Licensing System data shows, and 35 branches nationwide. 

The recent disclosure represents yet another major breach on a mortgage player in the past few months, following wide-ranging cyberattacks at Mr. Cooper and Loandepot, among others. Those firms, in required notices to federal entities, however did not provide as many details about the type of incidents they suffered.

Also recently disclosing data breaches in Maine's database were smaller lenders Premium Mortgage Corp. and United Home Loans. Premium, a Rochester, New York-based lender, said 10,835 clients were affected in an August hack; Western Springs, Illinois-based United said the PII of 5,324 customers was compromised in a March 2023 incident.