Cyberattacks on mortgage lenders continue, and without taking extensive measures to safeguard borrowers’ information, expect lawsuits follow. Stemming from a cyberattack and data breach that occurred at the end of August, Ally Financial Inc. and its subsidiary, Ally Bank, face a proposed class action lawsuit, filed September 7 in North Carolina federal court.
The plaintiff, Robert Hamilton, and class members allege that Ally Financial was negligent and failed to implement “reasonable industry standard security practices.” The plaintiff received a Notice of Data Breach letter dated Aug. 30, 2024, that occurred on an unspecified date. An unauthorized actor was able to access the Plaintiff’s private information through a vendor’s system, including the plaintiff’s name, social security number, date of birth, address, driver’s license number, email address, and phone number.
However, plaintiffs state in the lawsuit that Ally Financial and Ally Bank became aware of the cyberattack and data breach on Aug. 1, 2024, prompting the lawsuit alleging negligence, breach of implied contract, and unjust enrichment.
An attorney representing the defendants did not provide an immediate response to a request for comment.
The complaint also suggests that clients' stolen personal information could be sold on the dark web, stating, “numerous sources cite dark web pricing for stolen identity credentials.” The complaint lists dark-web prices on credit card details and bank logins as averaging from $40 to $200.
Martin Walter, senior director at cybersecurity firm RedSeal, says that the stolen information and customer data from Ally Bank is actually much more valuable. “[C]ompared to credit card information, personally identifiable information and Social Security Numbers are worth more than 10x on the black market,” he explained.
The class members allege that the data breach was foreseeable, given the recent high profile data breaches at other leading financial firms, including Mr. Cooper, Fidelity National Financial, First American Financial Corporation, and loanDepot. Such cases have raised both the public's and businesses' awareness of the heightened risk that financial services companies face.
“Given the nature of Defendant’s Data Breach, as well as the long delay in notification to Class Members, it is foreseeable that the compromised PII has been or will be used by hackers and cybercriminals in a variety of devastating ways. Indeed, the cybercriminals who possess Plaintiffs’ and Class Members’ PII may easily obtain Plaintiffs’ and Class Members’ tax returns or open fraudulent credit card accounts in Class Members’ names,” the lawsuit reads.
The plaintiff and class members are seeking equitable relief pertaining to the “misuse and/or disclosure of private information,” and from “refusing to issue prompt, complete, any accurate disclosures.” The plaintiff, individually and on behalf of all class members, demands a trial by jury on all issues so triable.
According to the 2023 Annual Data Breach Report, there were 3,205 data compromises in 2023, up 78% from 2022 (1,801 data compromises). The Identity Theft Resource Center set a new record for the number of data compromises tracked in a year, up 72% from the previous all-time high in 2021 (1,860).
