On February 16, BlackCat added loanDepot to their dark web leak site, but without any data as proof. At the time, they claimed that LoanDepot had shown up in the negotiation chat, and had offered $6 million for the data and a decryptor, but allegedly claimed they could offer more after the weekend. But after the weekend, they reportedly never showed up again.
BlackCat also made a number of other allegations about LoanDepot and its incident management, but none of those claims are readily verifiable or refuted by DataBreaches and hence, are not being repeated.
This week, loanDepot submitted a breach notification to the Maine Attorney General’s Office. That report, filed by their external counsel, indicates that 16,924,071 customers were affected by the incident.
In its letter to those affected, loanDepot writes that they discovered the incident on January 4. Investigation revealed that data had been exfiltrated between January 3 and January 5 and may have impacted consumers’ name, address, email address, financial account numbers, social security number, phone number, and date of birth.
The notification letter does not mention that data were locked, or whether loanDepot had backups of consumer data that it could use to restore all functions and operations, but BlackCat states that the firm sought to purchase a decryptor from them during its negotiations. loanDepot’s notification letter of February 23 was silent about the impact of the attack on its functioning, but it has been posting status updates on its website since January 8. Those updates seem to suggest that most, if not all, operations are functional again.
Affected consumers are being offered two years of complimentary services with Experian.