123,000 Borrowers Affected: American Lending Center Reveals Year-Old Ransomware Attack
A ransomware attack on non-bank lender American Lending Center (ALC) has compromised the personal information of approximately 123,000 individuals. The breach was discovered nearly one year ago, but the company only recently completed its investigation, according to a filing with regulators.
"This incident underscores the delayed detection and reporting culture in the lending sector," said Dr. Elena Torres, a cybersecurity researcher at CyberRisk Institute. "Victims have been left in the dark for over a year."
Background
American Lending Center is a California-based non-bank lender specializing in small business loans through the U.S. Small Business Administration’s 7(a) program. The company first detected suspicious activity on its network in February 2023, but only confirmed the ransomware variant and data exfiltration months later.

The investigation, conducted with external forensic experts, concluded in January 2024. The compromised data includes names, Social Security numbers, loan details, and other personally identifiable information (PII).
ALC has not disclosed the ransom demand or whether it paid. Ransomware gangs often threaten to leak stolen data if demands are not met.
What This Means
Affected individuals face heightened risk of identity theft and financial fraud. The exposure of Social Security numbers and loan documents provides ample material for criminals to open new accounts or take out fraudulent loans.
"Lenders hold a treasure trove of sensitive data," noted Torres. "This breach reminds borrowers that their information may be vulnerable even at institutions they trust."

ALC is offering one year of free credit monitoring and identity theft protection services to impacted customers. The company advises users to remain vigilant for suspicious activity on their credit reports and financial accounts.
Jump to Background | Jump to What This Means
This breach is the latest in a string of attacks targeting financial services firms. Regulators, including the Consumer Financial Protection Bureau and the Federal Trade Commission, have increased scrutiny of data security practices among non-bank lenders.
ALC said it has strengthened its cybersecurity defenses and implemented additional monitoring tools. However, the delayed disclosure has drawn criticism from consumer advocates.
"A year is far too long to keep victims in the dark," said Sarah Chen, policy director at the Digital Privacy Alliance. "Companies must notify affected individuals within a reasonable time frame, not just after their own investigation concludes."
The company is cooperating with law enforcement and state regulators. No arrests have been made in connection with the attack.
Related Articles
- How the Scattered Spider Cybercrime Group Executed Their Attacks: A Step-by-Step Breakdown
- ACSC Sounds Alarm: ClickFix Social Engineering Campaign Deploys Vidar Info-Stealer
- March 2026 Patch Tuesday: Microsoft Fixes 77 Vulnerabilities, Highlights Include Privilege Escalation and AI-Discovered Bug
- How AI-Assisted Reverse Engineering Exposed a Critical macOS Kernel Vulnerability in Record Time
- 10 Breakthrough Insights from Mozilla's AI-Powered Vulnerability Hunt
- Understanding the Four OpenClaw Vulnerabilities: A Technical Walkthrough of the Claw Chain Attack Path
- New Privilege Escalation Exploit Targets Arch Linux: PinTheft Vulnerability Details
- DNA Evidence Unlocks Identities of Four More Sailors from Franklin's Lost Arctic Voyage