Academy Mortgage, a Utah-based independent mortgage lender with branch offices in 38 states, has been targeted by a ransomware group that has published some of its confidential files on the internet.
According to a report by databreaches.net, a website that tracks such breaches, the ransomware group AlphV (BlackCat) added Academy Mortgage to its leak website on the dark web on May 14.
Along with posting internal documents from the company, BlackCat added a statement:
“We have been in your network for a long time and have had time to study your business. In addition, we have stolen your confidential data and are ready to publish it. We have your customer/partner data, personal data, finances, confidential data and so on.
Considering the recent underwriting fraud case that your company faced in December, a privacy data breach could have a devastating impact on your reputation and credibility. Such a breach could cause severe damage to public trust and lead to significant financial losses.”
The underwriting fraud case the group cites refers to a settlement Academy Mortgage agreed to in December to resolve charges it improperly originated and underwrote mortgages insured by the federal government.
While Academy Mortgage did not admit guilt, it agreed to pay $38.5 million to resolve allegations it violated the U.S. False Claims Act by improperly issuing mortgages insured by the Federal Housing Administration (FHA).
The settlement resolved a lawsuit filed by Gwen Thrower, a former Academy underwriter, under the whistleblower provisions of the False Claims Act. The provisions allow a private party (known as a relator) to file a lawsuit on behalf of the U.S. and to receive a portion of any recovery.
In her lawsuit filed in the Northern District of California, Thrower claimed that from January 2008 through April 2017, Academy’s underwriting process led employees to disregard FHA rules and falsely certify compliance with underwriting requirements. She also alleged that, as a result of Academy’s knowingly deficient underwriting practices, the government paid insurance claims on loans that were improperly underwritten.
Under terms of the settlement, Academy agreed to pay $38.5 million to the United States. Thrower was to receive $11.5 million as her share of the proceeds.
According to databreaches.net, BlackCat’s post claims Academy Mortgage refused to pay anything, and provides several screencapped files as proof it has access to the company’s computer system. The post does not indicate whether BlackCat locked any files or if it merely exfiltrated copies of files, the website report states.
Academy Mortgage officials did not immediately respond to a request for comment.
The company has not posted anything on its website about the breach, and it is not known whether it has notified its customers about it.
According to its website, Academy Mortgage has more than 200 branches nationwide and served more than 54,000 families last year. The company originated more than 24,100 mortgages totaling nearly $8.3 billion in 2022, according to Modex.
