At least six class-action law firms have launched investigations into AnnieMac Home Mortgage’s (“AnnieMac”) handling of a data breach that occurred between Aug. 21-23, 2024, exposing the names and social security numbers of more than 171,000 customers.
AnnieMac became aware of the incident on Aug. 23, though only alerted impacted customers last week. Waiting nearly three months to warn customers that their personal financial data may have landed in the hands of cybercriminals “may have violated state and federal laws,” says the press release issued by Schubert Jonckheer & Kolbe LLP, a firm specializing in class actions.
After becoming aware of the incident on Aug. 23., AnnieMac conducted a forensic investigation and determined that cybercriminals infiltrated its “inadequately secured computer environment and thereby gained access to its data files,” reads the press release from Murphy Law firm.
In contrast, AnnieMac CEO Joe Panebianco has applauded his team’s “vigilance and expertise” in the aftermath of the breach. Couched in remarks about increasing rates of cybercrime across the financial sector, Panebianco said AnnieMac “acted swiftly and decisively to contain the event, minimize potential harm, and notify those impacted.”
Panebianco highlighted the “proactive measures taken” in response to the incident, to include the following actions “immediately” taken: securing its systems and neutralizing the breach; collaborating with cybersecurity experts to assess and reinforce its defenses, and offering complimentary credit monitoring as well as identity theft protection services to impacted customers.
If this were a home invasion, one wonders whether expelling the intruders, barricading the doors, dialing the authorities, and Googling “best dog breeds for home security” while waiting for the authorities to arrive would be considered “proactive."
AnnieMac’s filing of a notice of data breach with Maine’s Office of the Attorney General begs clarification of the company’s incident response timeline. NMP reached out to AnnieMac to inquire about the timeline and characterization of AnnieMac's incident response, but a spokesperson was not immediately available.
In its Maine filing, AnnieMac said it became aware of the data breach on Oct. 15. The company issued letters on or around Nov. 14, only then notifying customers whose personal data may have been compromised and offering complimentary credit monitoring and identity theft protection services.
Moreover, that letter begins: “On August 23, 2024, AnnieMac became aware of suspicious activity on certain systems within its network.” Whether Aug. 23 or Oct. 15 should serve as the effective date of its “notification event,” lawyers for the lender and affected customers will decide.
"Our proactive response underscores our commitment to safeguarding our customers’ trust,” Panebianco continued in AnnieMac's press release. “We’ve strengthened our systems, enhanced employee training, and refined our response protocols to further fortify our defenses.”
The following law firms have announced investigations into AnnieMac’s handling of the incident:
