Cyber Incident Victim: Ellington Management Group
Date:
Feb 2022
Location:
United States of America
Summary
Ellington Management Group experienced a data breach when an unauthorized party accessed two employee email accounts, potentially exposing sensitive mortgage holder information. The compromised data included names, Social Security numbers, driver's license details, electronic signatures, credit card information, dates of birth, financial account numbers, and other mortgage-related data. After identifying affected individuals through a review of the breached accounts, the company notified impacted parties. The incident stemmed from unauthorized access to employee email accounts used in connection with mortgage loan sales or potential transactions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 29, 2022, Ellington Management Group, LLC reported a data breach to the Montana Attorney General after discovering unauthorized access to two employee email accounts. The company first detected the compromise on February 24, 2022, when it became aware that an external party had infiltrated the email accounts of employees involved in mortgage loan transactions. These accounts contained sensitive consumer information related to the sale or potential sale of mortgage loans. Ellington initiated a comprehensive review of all affected files to determine the scope of the incident and identify compromised data. The investigation concluded on July 15, 2022, confirming that exposed information included mortgage holders' names, Social Security numbers, driver's license numbers, electronic signatures, credit card numbers, dates of birth, bank or financial account numbers, and other mortgage-related documentation. The breach notification letters sent to affected individuals specified that the exact combination of compromised data varied per victim based on their mortgage interactions with the company.
Ellington Management Group, a Connecticut-based investment adviser founded in 1994 with over 25 employees and $103 million annual revenue, completed consumer notifications within six months of discovering the breach. The company's response involved securing the compromised email accounts, conducting forensic analysis to map the extent of data exposure, and implementing measures to prevent similar incidents. Affected individuals faced potential risks including identity theft, financial fraud, and tax-related fraud due to the exposure of multiple identity verification elements. The breach impacted mortgage holders whose personal information was accessible through the breached email accounts during routine business operations. Ellington provided credit monitoring services to victims as part of its breach response protocol, though the duration and specific terms of this offering were not detailed in regulatory filings. The incident exposed systemic vulnerabilities in email account security practices related to handling sensitive mortgage documentation containing multiple high-risk data categories per affected individual.