LendUS agrees to settlement in knowledge breach lawsuit
Mortgage lender LendUS reached a settlement this week to resolve a legal case tied to a 2021 cyber attack that revealed personal identifiable information of customers and employees.
Without admitting wrongdoing, the company, which was acquired by CrossCountry Mortgage in mid 2022, will pay an undisclosed amount to settle the lawsuit.
CrossCountry declined to provide further details regarding the settlement. “LendUS was not part of CCM at the time of the alleged infractions. We do not comment on matters prior to acquisition,” a company spokesperson said in a statement.
In multiple incidents between February and March 2021, an unauthorized individual was able to gain access to files belonging to LendUS that held personal information of consumers, including, but not limited to, Social Security and driver’s license numbers, financial and payment card account information and online account credentials.
LendUS determined its system had been compromised in December that year and began notifying affected parties in early 2022. The lender also established a dedicated call center and offered free credit monitoring to individuals whose data had been compromised.
Shortly after notices were sent, attorneys filed a lawsuit in the Northern District of California, alleging the company failed to use “reasonable” security procedures to prevent the breach and was “negligent” in not detecting it for nine months. Plaintiffs Evangelia Remoundos, John Biegger and Anne Biegger sought to represent those impacted.
The infraction at LendUS, which was based in Alamo, California, is one of several cyber fraud events that have occurred at mortgage lenders and servicers since 2021. Companies, including KeyBank, Lower and subsidiaries of Bayview Asset Management all were named last year in various lawsuits surrounding breaches that revealed personal information.
LendUS has also been listed as a defendant in multiple other legal actions filed against the lender or its predecessor, RPM Mortgage, in the last decade. In April last year, CrossCountry acquired LendUS for an undisclosed amount.
In a public statement announcing the breach last February, LendUS said it had implemented safeguards and additional technical security measures and was providing more training to its staff.
According to the terms of the settlement, LendUS will reimburse members represented in the lawsuit up to $500 for documented data breach losses and lost time. Consumers who became victims of fraud or identity theft as a result of the breach are eligible for payments of up to $2,500.
All members of the lawsuit are also eligible to receive three years of free identity theft protection, which Includes $1 million worth of fraud insurance.