Cyber Incident Victim: Mortgage Investors Group

Mortgage Investors Group (MIG), a Tennessee-based mortgage lender with over 26 branches and approximately 300,000 customers, experienced a cybersecurity incident beginning on December 11, 2024. The attack was detected on December 12, prompting an investigation that confirmed unauthorized access to MIG’s computer environment. This breach resulted in the exposure of sensitive personal information belonging to an undisclosed number of individuals. MIG publicly disclosed the incident via a notice on its website, stating that compromised data included affected customers’ full names and financial information. The company engaged an external vendor to identify impacted individuals and stated direct notifications would occur within several weeks following the identification process. MIG did not confirm whether the incident involved ransomware or provide specifics about the operational disruption caused by the attack.

The Black Basta ransomware gang claimed responsibility for the attack shortly after its discovery. Federal law enforcement agencies had previously identified Black Basta as a prolific threat actor targeting 12 of 16 critical infrastructure sectors, with at least 500 global victims between April 2022 and May 2024. The group’s prior targets included Dish Network, the American Dental Association, and the Chilean government. MIG’s breach occurred within a broader pattern of ransomware attacks against U.S. housing-sector financial institutions, including high-profile incidents affecting lenders and title insurers such as Mr. Cooper, LoanDepot, Fidelity National Financial, Nations Direct Mortgage, and First American. These attacks have historically disrupted housing transactions, though MIG did not disclose whether its operations or customer loan processes were similarly affected. The company has not released additional technical details about the intrusion vector, containment measures, or data recovery efforts beyond its initial public statement.