Cyber Incident Victim: LendUS
Date:
Feb 2021
Location:
United States of America
Summary
LendUS experienced unauthorized access to employee email accounts, prompting immediate security measures and an investigation aided by a cybersecurity firm. The probe revealed potential exposure of sensitive data, including names combined with Social Security numbers, financial details, medical information, and account credentials, though investigators could not confirm whether specific emails or attachments were compromised. The breach impacted both customers and employees, with the organization conducting a precautionary review of potentially affected communications to assess the scope of personal information involved.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The LendUS data security incident involved unauthorized access to certain employee email accounts over a period spanning from February 2, 2021, to March 22, 2021. Upon identifying the suspicious activity, LendUS secured the affected accounts and initiated an investigation with support from a cybersecurity firm. The investigation confirmed the unauthorized access but could not conclusively determine whether any emails or attachments within the compromised accounts were viewed or exfiltrated. The company did not disclose when it first detected the incident or the specific method of discovery. Between February 2021 and December 2021, LendUS conducted a review of the potentially exposed email accounts and their contents as a precautionary measure.
On December 21, 2021, LendUS confirmed that the emails or attachments accessible during the breach window contained sensitive personal information. This included individuals’ names combined with one or more data elements: Social Security numbers, driver’s license numbers, financial and payment card account details, passport numbers, tax identification numbers, medical and health insurance information, and online account credentials. The affected data pertained to both LendUS employees and customers. The company publicly disclosed the incident via a press release on February 8, 2022, over a year after the initial unauthorized access period. No additional technical details regarding the attack vector, containment measures beyond securing the email accounts, or specific impact metrics were provided in the announcement.