Cyber Incident Victim: SN Servicing Corporation
Date:
Oct 2020
Location:
United States of America
Summary
A mortgage servicing company experienced a ransomware attack leading to unauthorized access of customer data including names, addresses, loan details, and billing information. The organization responded by securing affected systems, engaging forensic experts, and implementing enhanced cybersecurity measures such as AI-driven malware detection tools and restrictions on international network traffic. The incident was claimed by the Egregor ransomware group, which listed the firm for refusing ransom payments, with potential links to prior operators of the Maze ransomware noted by analysts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 15, 2020, SN Servicing Corporation, a California-based mortgage loan servicing subsidiary of Security National Master Holding Company, experienced a ransomware attack impacting its systems. The company discovered the incident and immediately locked down affected systems while engaging third-party forensic experts to investigate the breach. A preliminary investigation determined that compromised data included customer billing statements and fee notices from 2018, containing names, addresses, loan numbers, balance information, and billing details such as charges assessed, owed, or paid. SN Servicing notified state attorneys general in California and Vermont of the breach, though the exact number of affected individuals was not disclosed in available reports. The company’s servicing portfolio included over 26,000 residential, commercial, consumer, and unsecured loans sourced from financial institutions, with a focus on under-performing and non-performing mortgages, including government-backed loans like HUD/FHA, USDA, and VA loans.
SN Servicing offered affected customers one year of free credit monitoring services and advised vigilance in reviewing account statements for suspicious activity over the following 12-24 months. In response to the attack, the company announced cybersecurity upgrades, including replacing email filtering tools, malware software, and internet monitoring systems with AI-enhanced solutions designed to detect and block known and emerging malware. Additional measures included blocking all inbound and outbound internet, email, and network traffic to foreign countries and upgrading infrastructure to enhance backup and recovery capabilities. The Egregor ransomware group listed SN Servicing in its "Hall of Shame" section for companies refusing to pay ransoms, though no data appeared to have been publicly released at the time of reporting. Egregor, first detected in September 2020, was described by the FBI as a rapidly emerging ransomware-as-a-service operation claiming over 150 victims, utilizing diverse tactics that complicated defense efforts. Industry analysts noted potential links between Egregor and the disbanded Maze ransomware group due to operational similarities, though no direct affiliation was confirmed.