Pacific Residential Mortgage, LLC, (Pac Res) reported a data breach to the California Attorney General (CAG) on March 25, stemming from a ransomware attack against the Oregon-based mortgage company.
According to the company’s notice submitted to the CAG’s office, hackers gained unauthorized access to sensitive consumer data on Feb. 10, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and financial account information.
The notice also described the actions Pac Res took to secure its systems and determine whether customer information had been compromised.
“We promptly hired a cybersecurity firm to secure our environment and conduct an investigation to determine the nature and scope of the incident,” the company said in the notice. “We quickly recovered the affected systems from backups and started our investigation of the incident. We also promptly informed law enforcement of the incident. Based on the results of the forensic investigation, Pac Res conducted a review of the information that was accessed by the cybercriminals to determine what information was maintained within the compromised systems for purposes of providing this notice to the potentially affected individuals.”
The company has since notified law enforcement and sent data breach notification letters to affected individuals, outlining the specific information exposed. The number of consumers whose information was compromised in the breach was not disclosed in the notice.
According to the Federal Trade Commission’s (FTC) Safeguards Rule, financial institutions are required to notify the FTC no later than 30 days after discovering a security breach involving information belonging to 500 or more consumers. When companies fail to comply with this requirement, they can be subject to a class action lawsuit.
Multiple law firms have announced they are investigating the Pac Res data breach while also urging consumers to contact them for legal services if they receive a notice from the company indicating their information has been compromised.
Pac Res is offering affected customers access to single bureau credit monitoring services and fraud assistance and remediation services through Cyberscout, a Transunion company, at no charge for 12 months of cybersecurity alerts. To activate these services, customers must enroll within 90 days of receiving their notice letter.
Pac Res was founded in 2004 and operates in 34 states, offering conventional loans, FHA loans, VA loans, USDA loans, jumbo loans, reverse mortgages and refinancing solutions.