Optimum First Mortgage Compromised in PEAR Ransomware Attack
The PEAR ransomware group has claimed an attack on Optimum First Mortgage, alleging the theft of 9.3 TB of sensitive data including PII, PHI, and financial records.

The PEAR ransomware group has claimed an attack on Optimum First Mortgage, alleging the theft of 9.3 TB of sensitive data including PII, PHI, and financial records.

Optimum First Mortgage, a financial services organization, has reportedly been targeted by the PEAR ransomware group. The attackers claim to have successfully exfiltrated 9.3 terabytes of data from the organization's infrastructure. This volume of data represents a significant security event, encompassing a wide range of sensitive information, including financial documents, human resources records, client-specific private data, personally identifiable information (PII), and protected health information (PHI). Furthermore, the scope of the alleged theft extends to database exports, email correspondence, and stored OneDrive content.

When an attacker gains access to 9.3 TB of data, the primary concern is the depth of the breach. In the financial sector, where trust is the foundational currency, the exposure of customer financial details and private correspondence can lead to long-term reputational damage and severe regulatory scrutiny. For many enterprises, the initial access point is often an overlooked internet-facing asset or an unpatched vulnerability in an application. Ensuring that your organization is not susceptible to such breaches requires comprehensive Attack Surface Management to maintain visibility over cloud resources and remote access points.
The nature of this attack, which involves broad data exfiltration across disparate systems, suggests that the threat actor moved laterally to reach both operational and storage environments. Preventing such widespread damage requires a proactive approach. Organizations should consider rigorous Penetration Testing to identify the pathways an adversary might use to pivot from an initial entry point to high-value data stores.
For organizations operating in high-stakes environments, the response to a ransomware threat must be immediate and structured. If you suspect your environment has been compromised or if you want to understand your current level of exposure to similar threats, it is critical to perform a thorough triage.
Free exposure check
Dark Web Scanner
check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.
Beyond the immediate incident response, the exposure of 9.3 TB of data highlights the necessity of strict data classification and access controls. If your internal data is poorly segmented, a single compromised workstation can lead to a full network compromise. Enterprises must move toward a zero-trust model where authentication is verified continuously and access to sensitive databases is restricted based on the principle of least privilege. In the context of regulatory compliance, losing control of PII and PHI places an organization in direct violation of global standards, making compliance-first security strategies essential.
Ransomware is rarely an isolated event; it is the culmination of a successful multi-stage attack. By the time the ransom note appears, the attacker has already achieved persistence, mapped the network, and identified the most valuable data. To mitigate this risk, security teams should focus on:
Continuous Exposure Monitoring: Regularly scan for exposed services and misconfigurations.
Advanced Simulation: Use red teaming to stress-test your incident response and detection capabilities.
Identity Protection: Strengthen authentication boundaries to prevent lateral movement.
Supply Chain Hygiene: Review software and service dependencies to eliminate secondary attack paths.
By shifting to an offensive security posture, you change the economic equation for the attacker. Rather than waiting for a breach, enterprises should proactively find and close the gaps that allow for 9.3 TB of data loss to occur in the first place.
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
Legal firm Vogeler Rechtsanwälte has been targeted by the Cloak ransomware group, with attackers claiming possession of 1.1 TB of organizational data. We analyze the implications of this incident and how firms can protect against high-stakes exfiltration threats.

June 19, 2026
KRYBIT ransomware actors claim to have exfiltrated 316 GB of data from AASA CP Holding. We break down the implications for GCC enterprises and outline immediate defensive priorities to mitigate similar risks.

June 18, 2026
LockBit 5.0 has claimed a successful ransomware attack on SRA, threatening data publication. Learn about the implications of this incident and how to harden your defenses.
Onion URL
http://peargxn3oki34c4savcbcfqofjjwjnnyrlrbszfv6ujlx36mhrh57did.onion/Companies/optimumfirst