The California-based mortgage lender loanDepot is facing at least two class actions for a cybersecurity incident that impacted 16.6 million customers.
The first lawsuit was filed Jan. 19 by Daroya Isaiah of Adelanto, California. It says since the data breach, she has "experienced a significant increase in SPAM phone calls or text messages; and noticed strange information or
accounts on her credit report, which plaintiff believes could be attributed to the data breach."
In the lawsuit filed earlier this week in federal court in California, plaintiff Jonathan Rosas of Passaic County, New Jersey applied for and obtained a loan from loanDepot during the summer of 2021.
loanDepot does not comment on pending litigation-- however, it has said it is offering credit monitoring and identity protection services to affected customers.
Both lawsuits are seeking class status and point to another cyberattack in August 2022 that loanDepot didn't disclose until May 2023.
The lawsuits claim loanDepot failed to "prevent the data breach," in the first place.
"loanDepot has not yet shared what type of customer personal information was accessed and stolen from its systems," one of the complaints states.
The risk for customers of having their personally identifiable information (PII) stolen is that "hackers can sell the PII to other thieves or misuse themselves to commit a variety of crimes that harm victims of the Data Breach," the complaint states. "For instance, they can take out loans, mortgage property, open financial accounts, and open credit cards in a victim’s name; use a victim’s information to obtain government benefits or file fraudulent returns to obtain a tax refund; obtain a driver’s license or identification card in a victim’s name; gain employment in another person’s name; or give false information to police during an arrest."
The complaint cites loanDepot's security policy which says "loanDepot takes steps to safeguard your personal and sensitive information through industry standard physical, electronic, and operational policies and practices. All data that is considered highly confidential data can only be read or written through defined service access points, the use of which is password protected."
The cyber incident was only the latest in a series of attacks on financial institutions. Several notable mortgage industry companies have faced cyberattacks in recent months, underscoring the growing cybersecurity challenges in the financial sector. The cyberattack of loanDepot follows recent breaches at First American, Fidelity National Financial, and Mr. Cooper Group.
