Full Report
Tennessee-based Mortgage Investors Group (MIG) did not outline how many customers were impacted by the attack but said they have hired a vendor to identify the affected individuals. The company said it expects to notify those customers directly once the process is completed in several weeks.
Analysis Summary
# Incident Report: Mortgage Investor Group Data Breach and Black Basta Ransomware Activity
## Executive Summary
Mortgage Investors Group (MIG), a large mortgage lender in the Southeastern U.S., experienced a cybersecurity incident beginning on December 11th, which resulted in unauthorized access to customer information. The attack, claimed by the Black Basta ransomware group, exposed sensitive personal and financial information belonging to an unknown number of customers. MIG initiated an investigation, engaged forensic vendors, and is preparing to notify affected individuals.
## Incident Details
- Discovery Date: December 12 (one day after the attack began)
- Incident Date: On or around December 11, [Year Not Specified]
- Affected Organization: Mortgage Investors Group (MIG)
- Sector: Financial Services (Mortgage Lending)
- Geography: Tennessee-based, Southeast U.S.
## Timeline of Events
### Initial Access
- Date/Time: December 11, [Year Not Specified] (attack began)
- Vector: Unauthorized access to MIG’s computer environment. (Specific initial vector not detailed, but attributed to Black Basta operations).
- Details: An unauthorized user gained access to the network infrastructure.
### Lateral Movement
- Details: Not explicitly detailed, but implied through the exposure of sensitive information suggesting successful navigation within the environment.
### Data Exfiltration/Impact
- Details: Exposure of sensitive personal information pertaining to a number of individuals, including full names and financial information. The incident was claimed by the Black Basta ransomware gang, suggesting potential encryption or data extortion.
### Detection & Response
- Date/Time: December 12 (discovery)
- Details: MIG discovered the unauthorized access. They hired a vendor to conduct an investigation to identify affected individuals and are preparing direct notifications within several weeks.
## Attack Methodology
- Initial Access: Unknown, resulting in unauthorized access to the computer environment.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed, though the breach progressed sufficiently to access sensitive data.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Implied by the scope of the data exposure.
- Collection: Gathering of sensitive personal and financial information.
- Exfiltration: Implied by the successful data exposure reported.
- Impact: Data exposure of customer personally identifiable information (PII) and financial data.
## Impact Assessment
- Financial: Not specified, but likely includes costs for investigation, remediation, customer notification, and potential regulatory fines.
- Data Breach: Sensitive personal information and financial information belonging to an unknown number of customers (MIG serves approx. 300,000 customers).
- Operational: Potential disruption to normal business processes during the investigation and remediation, though the article focuses on the data aspect.
- Reputational: As a large mortgage lender, reputational damage is significant following confirmation of a major data breach.
## Indicators of Compromise
- **Network Indicators (Defanged):** No specific IoCs shared in the public advisory.
- **File Indicators:** None provided.
- **Behavioral Indicators:** Unauthorized user activity leading to data exposure.
## Response Actions
- **Containment measures:** Not explicitly detailed, but assumed to have begun upon discovery on December 12.
- **Eradication steps:** Engaging a forensic vendor to confirm the scope and remove the threat actor.
- **Recovery actions:** Preparing to notify affected customers directly once the vendor analysis is complete.
## Lessons Learned
- The mortgage and financial industry remains a primary target for sophisticated ransomware groups like Black Basta, who attack critical infrastructure sectors.
- Timely internal detection (detection within 24 hours) is crucial, though remediation remains challenging.
- Reliance on external vendors is necessary for thorough post-incident forensic analysis of large-scale compromises.
## Recommendations
- **Prevention measures for similar incidents:** Implement enhanced monitoring for anomalous network access, particularly focusing on lateral movement indicators. Review multi-factor authentication enforcement across all network segments. Harden access controls around systems containing aggregated customer PII and financial data, given the high-profile targeting of mortgage lenders by Black Basta.