It’s only the first quarter of 2024 and major breaches are already starting to be announced, with two major financial organizations reporting breaches in their 8-K filings. It’s no surprise they were targets, as current stats show that ransomware attacks against financial services increased from 55% in 2022 to 64% in 2023, almost double the amount reported in 2021. This is a major problem for financial organizations, considering the average cost of a breach is $4.45 Million. The combination of data lost, cost of remediation, reputational damage, and regulatory fines can add up quickly.
In this article, we will explore the recent Prudential and LoanDepot breaches, investigate what went wrong, and look at some ways to help prevent such disasters in the future.
The first part of 2024 was a significant blow to financial organizations, with Prudential and LoanDepot being hit by cyberattacks. To cybercriminals, compromising these organizations is a huge win as they not only store large quantities of sensitive data but also have the money to pay off ransoms – even repeat ones if it comes to that. No matter the outcome, money will be made once the attacker gets into their organization.
LoanDepot was the first organization targeted in January. As a major non-bank retail mortgage lender, the cyberattack compromised massive customer data, with the initial report estimated to be 17 million customers. The data lost was more than just basic names and addresses; it included financial account numbers, social security numbers (SSNs), phone numbers, and dates of birth (DoB). This treasure trove of sensitive information can easily be used by cybercriminals for fraud and identity theft, placing the victims at risk.
The ALPHV/BlackCat ransomware group took responsibility for the attack, claiming that they have LoanDepot’s data, and so far, no ransom has been paid. Based on previous attacks by this group, it is highly likely that the attacks started with ransomware infections spread by seemingly safe files infected with hidden malicious code. These are often spread via phishing attacks to trick employees into opening the file and launching the code, kicking off a chain reaction of infections. The ransomware likely also deployed rootkits based on the widespread data loss, allowing attackers direct access to the network to conduct more in-depth attacks and steal large volumes of sensitive data.
LoanDepot confirmed that it took immediate steps to secure its systems and initiated an investigation with external cybersecurity experts. Such attackers often leave hidden backdoors to come back to later, making the likelihood that they will return relatively high. And as always, if it’s already been breached, the damage is typically already done.
Not even a month later, Prudential was hit by the same ALPHV/BlackCat ransomware group. Unlike LoanDepot, the exact scope and nature of the breach have kept the details limited, with their reported incident being listed as a cybersecurity breach involving unauthorized access to their systems, primarily affecting administrative and user data related to employees and contractors. Interestingly, Prudential did not specify ransomware in any of its communications or filings with the U.S. Securities and Exchange Commission (SEC). Their own internal investigation reportedly found no evidence of malware, ransomware, data destruction, or alteration and that they did not believe the threat actor still had access to their systems.
The lack of malware may be why their overall impact was far less significant than LoanDepot. According to Prudential, the attackers only made off with administrative and user data related to employees and contractors. Unlike the LoanDepot data that can be used for fraud, the stolen data here is more likely to be used for a future attack.
On the surface, these may be two separate attacks with little in common except for the criminal group claiming credit and an 8-K filing with the SEC.
Beyond the surface similarities comes the root causes and outcomes of the attacks that create the overlap. Both companies had attackers infiltrate their most protected inner networks, compromising sensitive data. They likely started with similar methods to gain initial access, such as phishing emails, exploiting network vulnerabilities, or credential theft. However, they both ended up with sensitive data being leaked outside their organization.
It takes more than one line of defense to stop such dedicated attacks. It starts by reducing the risk before an attack ever starts. Many of these attacks originate from phishing or malicious content hiding in seemingly safe files shared over email or social media or directly uploaded into trusted interfaces. A combination of antivirus (AV) and Content Disarm and Reconstruction (CDR) tackle this head-on. AV efficiently eliminates known threats, stopping them from spreading. CDR works in tandem with AV; it prevents previously unseen or new zero-day threats and proactively sanitizes all content to remove hidden threats. This helps reduce the risk of attackers getting a foothold in the organization in the first place.
To build on this defense, Data Detection and Response (DDR) prevents data from being lost, misused, or accessed by unauthorized users. It monitors and lets you control data in transit, in use, and at rest to block or alert administrators when sensitive data is accessed inappropriately. This prevents widespread breaches of information across organizational boundaries, especially sensitive data that cybercriminals can hold for ransom.
Votiro combines Zero Trust Content Security with Data Detection and Response (DDR) in a single platform, offering a comprehensive solution for digital threat protection. The platform focuses on proactively preventing file-borne threats, real-time adherence to privacy and compliance standards, and providing actionable insights from data. Global organizations rely on Votiro to mitigate risks to their teams, customers, and reputation from various digital threats.
Votiro’s Zero Trust DDR approach is tailored to seamlessly blend threat prevention with data privacy, ensuring high business security. This approach is not limited to effectively eliminating malware and detecting sensitive data; it extends to safeguarding against a wide range of security and privacy threats in real-time. This approach is designed to identify and address potential vulnerabilities before they can be exploited, reinforcing the security posture of organizations.
To learn more about Votiro’s Data Detection and Response capabilities, sign up for a one-on-one demo of the platform or try it free for 30 days and see how Votiro can proactively defend your data’s security and privacy – and keep you safe from breaches like the ones above.