Texas lender says ransomware attack impacted 12,000 clients

A Texas-based lender said it was hit with a ransomware attack in July that’s impacted at least 12,000 customers, according to new disclosures.

HomeTrust Mortgage, based in Houston, said at least 12,873 consumers in Texas and Montana had personally identifiable information compromised, it revealed in notices to state officials in the past week. The company hired security experts and a computer forensic investigator, according to a copy of a letter to clients, and an investigation revealed in late September customers’ names, addresses and Social Security numbers may have been exposed.

“The investigation confirmed that we were the victim of a ransomware attack, and an unauthorized individual had gained access to our network,” according to a letter dated Nov. 23 to the Montana Department of Justice’s Office of Consumer Protection.

The Montana letter, signed by firm president and co-founder William Knapp, indicated four state residents were impacted. A notice to the Office of the Texas Attorney General said 12,869 residents were affected.

The lender, which also does business as Home Mortgage of America, which it merged with in 2012, didn’t respond to requests for comment Thursday morning. 

HomeTrust said it hasn’t seen evidence of misuse of consumer information but is offering between 12 to 24 months of complimentary services from IDX which includes credit monitoring and a $1 million insurance reimbursement policy. 

The company was founded in 1986, is licensed in eight Sun Belt states and lists 15 branches in Texas and New Mexico. HomeTrust offers adjustable rate mortgages, conventional, government-insured and jumbo loans and counts 179 employees on LinkedIn. The lender has no relation to North Carolina-based HomeTrust Bank.

The HomeTrust disclosure is a rare admission by a mortgage firm of the type of hack it suffered, while most companies don’t disclose the type of cyber attack nor the culprit. Ransomware incidents can be especially devastating, with title and settlement platform Cloudstar suffering a massive disruption last summer. The combined costs of data breaches costs companies on average $4.35 million in 2022, an all-time high according to IBM.

Industry firms ranging from lenders, servicers and vendors have disclosed in the past 12 months breaches impacting a combined millions of customers, with some facing numerous class action complaints from consumers alleging the companies failed to protect their PII. Plaintiffs in separate data breach lawsuits against depository lender KeyBank and a trio of servicers have also sought in recent months to consolidate their class action complaints.