Hackers accessed data of 16.6M customers in loanDepot cyberattack

loanDepot’s latest update of its ongoing cyberattack shows that hackers gained access to the sensitive personal information of about 16.6 million individuals. The update, released Monday, does not reveal details of the data accessed by the unauthorized third party.  

“Unfortunately, we live in a world where these types of attacks are increasingly frequent and sophisticated, and our industry has not been spared. We sincerely regret any impact to our customers,” Frank Martell, loanDepot CEO, said in a statement. 

The company said it will notify individuals affected by the cyber incident and “offer credit monitoring and identity protection services at no cost to them.”

The top-15 U.S. mortgage lender informed customers and the wider public of the cyberattack that brought its systems down through a filing with the Securities and Exchange Commission (SEC) on Jan. 8. It indicated the date of the earliest event was Jan. 4. 

On Jan. 18, loanDepot began to restore its servicing customer portal. It also brought back online its portal for Home Equity Line of Credit (HELOC) customers, “MyloanDepot customer portal” dedicated to online applications and status tracking, and the “mellohome” portal for its real estate affiliate.

Martell said the entire team has worked tirelessly to support customers and partners and is “pleased” by the progress in quickly bringing systems back online. 

While the company is working to restore all its technology systems, it’s already the target of a class-action lawsuit filed by a customer. 

On Jan. 19, Daroya Isaiah filed a class-action-seeking lawsuit against the company, claiming that by then, loanDepot hadn’t disclosed the total number of customers impacted by the cybersecurity incident and the sensitive personal information or PII accessed. 

The lawsuit states that customers “have been placed in an imminent and continuing risk of harm from fraud, identity theft, and related harm caused by the data breach and should remain vigilant for any signs of fraud or identity theft for the indefinite future.”

The customer said since the data breach, she has experienced “a significant increase in SPAM phone calls or text messages; and noticed strange information or accounts on her credit report.” She believes it could be attributed to the data breach. 

The plaintiff accuses the company of negligence, breach of contract, breach of fiduciary duty and unjust enrichment, among other allegations.     

A spokesperson at loanDepot said the company does not comment on “pending litigation.”