The ransomware attack on loanDepot that compromised the personal data of 16.6 million has so far cost the mortgage lender almost $27 million in incident-related expenses.

In their second-quarter financial earnings report this week, company executives wrote that the costs include “expected insurance recoveries, including costs to investigate and remediate the Cybersecurity Incident, the costs of customer notifications and identity protection, professional fees including legal expenses, litigation settlement costs, and commission guarantees.”

In addition, they noted that the bulk of the second-quarter expenses related to the ransomware attack was $25 million loanDepot accrued toward the settlement of a class-action lawsuit filed against the company. Included in the sensitive data compromised through the attack were names, addresses, phone numbers, email addresses, Social Security and financial account number, and dates of birth.

The attack, attributed to the now-shuttered BlackCat – also known as ALPHV – ransomware group, was first reported by loanDeport January 8. The company launched an investigation with the help of third-party forensic and security experts and law enforcement, determining that the attack was launched by the threat group four days earlier.

LoanDepot, which launched in 2010, said it is the fifth-largest retail mortgage lender, with more than 6,000 employees who help more than 27,000 customers each month. Since its inception, the company has funded more than $275 billion mortgages.

A Cautionary Tale

The company’s $26.9 million attack-related cost “serves as a stark warning of the severe financial ramifications of failing to protect sensitive data from exfiltration,” said Darren Williams, founder and CEO of cybersecurity firm BlackFog. “The reality is that data is the ultimate prize for cybercriminals and ransomware continues to be the most profitable weapon in their toolkit, making the chances that businesses will be attacked and data will be stolen exceptionally high.”

The class action lawsuit, filed against loanDepot April 1 in Federal District Court in Illinois, accuses the company of failing to take the necessary steps to protect its data security systems and the sensitive information they contain.

In addition, the plaintiffs noted that loanDepot didn’t notify affected customers that their data had been compromised, “virtually ensuring that the hackers could monetize, misuse, and/or disseminate the stolen personal data before the affected customers could take steps to protect themselves,” FeganScott, the law firm that filed the lawsuit, wrote in a blog post.

Financial Institutions are Taking Hits

The incident was part of a larger surge over the past couple of years of ransomware attacks on financial services. In January, insurance broker Keenan and Associates said it was notifying more than 1.5 million people that their personal information may have been stolen during an attack on its systems the previous summer by the Cactus ransomware group.

Fidelity National Financial said hackers stole data from more than 1.3 million customers in a November 2023 attack that BlackCat claimed responsibility for, while mortgage lender Mr Cooper said hackers stole the personal information of almost 14.7 million people in a security breach in October 2023.

A November 2023 attack by the notorious LockBit ransomware group on a third-party financial software provider compromised the data of 57,028 Bank of America customers.

Cybersecurity vendor SentinelOne wrote in January that financial institutions were the second-largest target of threat groups in 2023, with the number of incidents jumping from 55% in 2022 to 64% a year later. The U.S. Federal Reserve said the top threat to financial services firms was ransomware-as-a-service.

An Attractive Target

Given cybercriminals’ thirst for personal data as a tool for ransoming money from organizations, it’s not surprising that financial services institutions are becoming a larger target.

“The financial sector is uniquely exposed to cyber risk,” researchers with the International Monetary Fund wrote in an April report. “Financial firms – given the large amounts of sensitive data and transactions they handle – are often targeted by criminals seeking to steal money or disrupt economic activity. Attacks on financial firms account for nearly one-fifth of the total, of which banks are the most exposed.”

Financial firms’ increasing reliance on third-party IT service providers – something that will likely increase as AI is adopted in the industry – also will be an ongoing concern.

“Such external providers can improve operational resilience, but also expose the financial industry to systemwide shocks,” they wrote, noting a ransomware attack last year on a unit of Trellance – a cloud services provider used by credit unions – caused outages at about 60 credit unions in the United States.

The global organization noted the acerating increases in malicious cyber-incident against the financial sector between 2004 and 2022 and the related skyrocketing losses to organizations in the industry.