Cyber Incident Victim: Planet Home Lending

On or around May 29, 2023, Planet Home Lending, LLC, a financial services company based at 321 Research Parkway, Suite 303, in Meriden, Connecticut, experienced a significant external system breach. The incident was identified as a hacking event that resulted in the unauthorized acquisition of sensitive personal information. The breach was not discovered immediately; it was officially detected three days later on June 1, 2023. The specific systems targeted in the attack were not detailed in the public notification, but the method of intrusion was confirmed to be an external compromise of the company's digital infrastructure.

The investigation into the breach determined that the information acquired by the threat actor included the names of affected individuals in combination with their Social Security Numbers. This specific combination of personal identifiers is highly sensitive and is classified as personally identifiable information that can be used for identity theft and financial fraud. The total number of individuals impacted by this data security incident was 3,119 persons. This figure included a very small number of residents from the state of Maine, specifically two individuals. Because the total number of Maine residents affected was below the 1,000-person threshold, the mandatory notification to consumer reporting agencies was not triggered by the Maine count, though the company confirmed that such agencies had been notified overall in accordance with other applicable laws.

The response from Planet Home Lending involved a formal notification process directed at all individuals whose information was compromised in the attack. The company opted for written notification to inform consumers of the breach. These notifications were dispatched to affected persons on August 31, 2023, which was over three months after the breach occurrence and nearly three months after its discovery. This timeline suggests a period of investigation was undertaken to determine the full scope and impact of the incident before contacting those affected. A copy of the notice intended for Maine residents was filed with the state's authorities, titled "Planet Home Lending - MOVEit Letter Template(176587249.11) V2___Static_Proof_R2 (002).pdf," which indicates a possible connection to the widespread MOVEit file transfer software exploitation that occurred during the same time period, though the filing itself did not explicitly confirm this link.

As part of its remedial actions, Planet Home Lending offered identity theft protection services to every individual impacted by the breach. The provider of these services was IDX. The company committed to providing all affected individuals with access to these services. For the two residents of Maine, the offering included a full twelve months of identity protection coverage. The duration of coverage for individuals residing outside of Maine was not specified in the Maine Attorney General filing, but the commitment to provide "at least" IDX services was confirmed for the entire impacted population. The offering of such services is a common practice intended to help monitor for and mitigate potential misuse of the stolen personal information. The breach was reported to the Office of the Maine Attorney General by Ashley Matthews, a partner at the law firm McGuireWoods LLP, who acted as legal counsel for Planet Home Lending in this matter. The submission was made via the state's online data breach reporting system.