.png)
LoanDepot Ransomware 2024: 16.9 Million Records, SEC Disclosure Test
Breach Summary
The LoanDepot ransomware attack of January 2024 exposed the sensitive personal and financial information of approximately 16.9 million customers of one of the largest US nonbank mortgage lenders. The attack disrupted LoanDepot's online services, loan processing systems, and customer-facing platforms for weeks, demonstrating the operational and reputational consequences of ransomware against financial services companies processing sensitive consumer mortgage data.
What Happened
LoanDepot detected the ransomware on January 8, 2024 and immediately took systems offline. The company disclosed the incident to the SEC on January 22, 2024 under the new cybersecurity disclosure rules enacted December 2023. Loan processing and customer account access were disrupted for approximately three weeks. LoanDepot subsequently disclosed that approximately 16.9 million customers had their sensitive personal and financial data stolen, including Social Security numbers, financial account information, and loan documentation.
Attack Vector Detail
Attackers accessed LoanDepot's systems and encrypted data across the company's network, disrupting the online loan servicing portal, customer account access, loan origination systems, and internal operations. The ALPHV/BlackCat-affiliated ransomware group was subsequently attributed as responsible. LoanDepot disclosed the breach to the SEC under the new 4-business-day disclosure requirement enacted in December 2023 — making it one of the first major tests of the SEC's cybersecurity disclosure rule in financial services.
Breach Pattern Timeline
January 4, 2024
LoanDepot — one of the largest U.S. retail mortgage originators — detects ransomware on its IT systems. Takes systems offline including customer-facing portals.
January 8, 2024
LoanDepot 8-K SEC filing discloses cyber incident. Customer access to online accounts and payment processing disrupted. Servicing operations on backup systems.
January 22, 2024
LoanDepot confirms ALPHV/BlackCat as the threat actor. Confirms data exfiltration affecting approximately 16.6 million customers.
January-February 2024
LoanDepot does not pay ransom. ALPHV publishes some stolen data on its leak site. Customer notifications begin. LoanDepot stock drops significantly on disclosed costs and revenue impact.
February 2024
LoanDepot Q4 2023 earnings call discloses estimated $12-16 million in direct breach costs for Q1 2024. Customer churn following breach becomes additional financial pressure.
April 2024
Class actions consolidated in federal court. ALPHV's Change Healthcare exit scam (March 2024) signals the end of ALPHV operations.
July 2024
LoanDepot Q2 results show breach-related impacts continuing. Customer notification process completed for 16.6M affected. Settlement negotiations begin.
2024-2026
LoanDepot class action consolidation continues. Mortgage industry-wide reassessment of cybersecurity controls follows. LoanDepot case becomes part of broader 2024 mortgage industry breach pattern (also: Mr. Cooper, Mortgage Capital Partners, others).
Total impact: ~16.6 million customers affected (mortgage-specific PII including SSNs, financial data), $12-16M direct costs, foundational precedent for mortgage servicing sector ransomware exposure and ALPHV's pre-exit-scam victim portfolio.
Executive Lessons
LoanDepot's breach was one of the first significant incidents requiring disclosure under the SEC's new 4-business-day cybersecurity disclosure rule. Incident response playbooks must include SEC disclosure analysis as an explicit step, with legal counsel engaged early in major incidents to assess materiality and prepare disclosure language on compressed timelines.
Related Reading
Private Equity Implications
LoanDepot's breach tested the new SEC cybersecurity disclosure rule that has direct implications for PE-backed companies approaching public markets and existing public companies in PE portfolios. Any PE portfolio company that is or anticipates being subject to SEC reporting obligations must build SEC cybersecurity disclosure processes into incident response planning. The 4-business-day materiality disclosure window is not compatible with unprepared incident response.