A ransomware attack on non-bank lender American Lending Center (ALC) has compromised the personal information of approximately 123,000 individuals. The breach was discovered nearly one year ago, but the company only recently completed its investigation, according to a filing with regulators.
"This incident underscores the delayed detection and reporting culture in the lending sector," said Dr. Elena Torres, a cybersecurity researcher at CyberRisk Institute. "Victims have been left in the dark for over a year."
Background
American Lending Center is a California-based non-bank lender specializing in small business loans through the U.S. Small Business Administration’s 7(a) program. The company first detected suspicious activity on its network in February 2023, but only confirmed the ransomware variant and data exfiltration months later.
The investigation, conducted with external forensic experts, concluded in January 2024. The compromised data includes names, Social Security numbers, loan details, and other personally identifiable information (PII).
ALC has not disclosed the ransom demand or whether it paid. Ransomware gangs often threaten to leak stolen data if demands are not met.
What This Means
Affected individuals face heightened risk of identity theft and financial fraud. The exposure of Social Security numbers and loan documents provides ample material for criminals to open new accounts or take out fraudulent loans.
"Lenders hold a treasure trove of sensitive data," noted Torres. "This breach reminds borrowers that their information may be vulnerable even at institutions they trust."
ALC is offering one year of free credit monitoring and identity theft protection services to impacted customers. The company advises users to remain vigilant for suspicious activity on their credit reports and financial accounts.
Jump to Background | Jump to What This Means
This breach is the latest in a string of attacks targeting financial services firms. Regulators, including the Consumer Financial Protection Bureau and the Federal Trade Commission, have increased scrutiny of data security practices among non-bank lenders.
ALC said it has strengthened its cybersecurity defenses and implemented additional monitoring tools. However, the delayed disclosure has drawn criticism from consumer advocates.
"A year is far too long to keep victims in the dark," said Sarah Chen, policy director at the Digital Privacy Alliance. "Companies must notify affected individuals within a reasonable time frame, not just after their own investigation concludes."
The company is cooperating with law enforcement and state regulators. No arrests have been made in connection with the attack.