123,000 Borrowers Affected: American Lending Center Reveals Year-Old Ransomware Attack
A ransomware attack on non-bank lender American Lending Center (ALC) has compromised the personal information of approximately 123,000 individuals. The breach was discovered nearly one year ago, but the company only recently completed its investigation, according to a filing with regulators.
"This incident underscores the delayed detection and reporting culture in the lending sector," said Dr. Elena Torres, a cybersecurity researcher at CyberRisk Institute. "Victims have been left in the dark for over a year."
Background
American Lending Center is a California-based non-bank lender specializing in small business loans through the U.S. Small Business Administration’s 7(a) program. The company first detected suspicious activity on its network in February 2023, but only confirmed the ransomware variant and data exfiltration months later.
The investigation, conducted with external forensic experts, concluded in January 2024. The compromised data includes names, Social Security numbers, loan details, and other personally identifiable information (PII).
ALC has not disclosed the ransom demand or whether it paid. Ransomware gangs often threaten to leak stolen data if demands are not met.
What This Means
Affected individuals face heightened risk of identity theft and financial fraud. The exposure of Social Security numbers and loan documents provides ample material for criminals to open new accounts or take out fraudulent loans.
"Lenders hold a treasure trove of sensitive data," noted Torres. "This breach reminds borrowers that their information may be vulnerable even at institutions they trust."
ALC is offering one year of free credit monitoring and identity theft protection services to impacted customers. The company advises users to remain vigilant for suspicious activity on their credit reports and financial accounts.
Jump to Background | Jump to What This Means
This breach is the latest in a string of attacks targeting financial services firms. Regulators, including the Consumer Financial Protection Bureau and the Federal Trade Commission, have increased scrutiny of data security practices among non-bank lenders.
ALC said it has strengthened its cybersecurity defenses and implemented additional monitoring tools. However, the delayed disclosure has drawn criticism from consumer advocates.
"A year is far too long to keep victims in the dark," said Sarah Chen, policy director at the Digital Privacy Alliance. "Companies must notify affected individuals within a reasonable time frame, not just after their own investigation concludes."
The company is cooperating with law enforcement and state regulators. No arrests have been made in connection with the attack.
Related Articles
- Microsoft Issues Urgent Advisory on Actively Exploited Exchange Server Flaw
- Organizational Scaling Crisis: Experts Warn Trust and Psychological Safety at Risk in Fast-Growing Tech Teams
- How to Secure Your Network Edge Against Modern Intrusions: A Step-by-Step Guide
- Widespread Linux Kernel Crypto Flaw Grants Instant Root Access to Local Attackers
- Supply Chain Attack on Popular ML Tool Exposes User Credentials
- How Frontier AI Is Revolutionizing Cybersecurity Defense
- Massive Cyber Security Alert: SMS Blasting, Medical Data Flaws, and Roblox Accounts Under Attack – Over 25 Threats Revealed
- Zara Data Breach: Personal Details of Nearly 200,000 Customers Stolen