Cyber Incident Victim: Academy Mortgage
Date:
May 2023
Location:
United States of America
Summary
Academy Mortgage was targeted by the AlphV/BlackCat ransomware group, which claimed to have exfiltrated sensitive data after a prolonged period of network access. The stolen information reportedly included customer and partner details, personal data, finances, and internal documents such as drivers' licenses. The threat actors publicly posted samples of this data on their dark web leak site, leveraging the company's recent legal settlement to pressure it, while the firm itself did not immediately publicly confirm the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or before May 14, 2023, the AlphV ransomware group, also known as BlackCat, publicly announced it had compromised Academy Mortgage Corporation. The Utah-based mortgage lending company was listed on the threat actor's dark web leak site, indicating a significant cybersecurity incident. The group's announcement detailed a prolonged period of unauthorized access within the company's network, stating they had been present for a long time and had utilized that time to study the business operations of Academy Mortgage. The primary malicious action confirmed by the attackers was the exfiltration of a large quantity of sensitive data. The AlphV group claimed to have stolen confidential company data, which included customer and partner information, personal data, financial records, and other internal documents.
As proof of their claims, the AlphV group published a series of screenshots showcasing files they had allegedly exfiltrated from Academy Mortgage's systems. This evidence included images of drivers' licenses, internal corporate documents, and statements. The public posting of this proof was a tactic to pressure the company into paying a ransom. The group's announcement directly referenced Academy Mortgage's recent legal settlement from December of the previous year, in which the company agreed to pay $38.5 million to resolve federal charges it violated the False Claims Act. The threat actors used this previous incident to amplify their extortion demands, suggesting that a new privacy data breach following so closely behind the legal trouble would have a devastating impact on the company's reputation and credibility, potentially causing severe damage to public trust and leading to significant financial losses.
A key point of uncertainty surrounding the incident, as reported from external analysis, was whether the attack involved the encryption of systems in addition to the data theft. The AlphV group's public post did not explicitly state whether they had deployed ransomware to lock files within Academy Mortgage's network or if their operation was solely focused on data exfiltration for the purpose of extortion. The public announcement from the threat actors stated that Academy Mortgage had refused to pay any ransom demand, which was the catalyst for the data being dumped on their leak site. This refusal to negotiate led to the public exposure of the stolen data.
In the immediate aftermath of the public disclosure by the AlphV group, Academy Mortgage's public response was characterized by a notable absence of official communication. The company did not post any information about the cybersecurity incident on its corporate website. There was no immediate public statement, notification to customers, or filing with regulatory authorities acknowledging the breach. A direct inquiry was sent to the company via email by a journalist, asking for confirmation of the attack and for additional details regarding whether their systems had been locked by ransomware. At the time of the initial reporting, no reply to this inquiry had been received from Academy Mortgage, leaving the claims made by the AlphV group unconfirmed by the victim organization.
The nature of the data allegedly exfiltrated pointed to a significant compromise of sensitive information. The inclusion of drivers' license images within the proof package indicated that personal identifiable information of individuals was likely accessed and stolen. This type of data breach carries serious potential consequences for affected customers, including an elevated risk of identity theft and fraud. Furthermore, the theft of internal documents, financial data, and confidential corporate information posed a direct threat to the company's business operations, competitive standing, and intellectual property. The attackers' claim to have studied the business during their time in the network suggested the possibility of targeted intellectual property theft beyond the general data exfiltration.
The impact of the incident was immediately framed through the lens of reputational damage, exacerbated by the company's recent legal troubles. The threat actors themselves highlighted this vulnerability, calculating that the combination of a major data breach and a recent multi-million dollar federal settlement would maximize pressure on the company and harm its standing with the public and its partners. The potential for financial losses was cited by the attackers, which could stem from regulatory fines, litigation costs from affected individuals, loss of business, and the significant expenses associated with incident response and remediation efforts. The full scope of the intrusion and the exact number of individuals affected remained unclear based solely on the external threat actor announcements and the limited proof-of-concept data samples they released. The incident represented a serious security event for Academy Mortgage, involving a sophisticated ransomware group known for targeting large organizations and employing double-extortion tactics, where data is both stolen and systems are potentially encrypted to compel payment.