Anniemac hit with lawsuit after data breach

Anniemac Home Mortgage did not protect customer data as it was legally required, a proposed class-action lawsuit argues.

The complaint, filed by Franklin Montenegro, a current Anniemac customer, comes shortly after the mortgage lender disclosed it was hit by a cyberattack, which exposed the personally identifiable information of 171,000 current and former Anniemac customers in late August.

"Given that [Anniemac] was storing the personal information of plaintiff and class members and knew or should have known of the serious risk and harm caused by a data breach, the defendant was obligated to implement reasonable measures to prevent and detect cyberattacks," litigation filed in a federal New Jersey court said.

The suit accuses Anniemac of negligence, breach of implied contract and of fiduciary duty.

The New Jersey-based lender and servicer did not immediately respond to a request for comment Tuesday. Bloomberg Law first reported the story.

Days prior to the suit being filed, Anniemac disclosed that an unknown actor gained access to the lender's systems and viewed, or copied sensitive customer data between Aug. 21 and Aug. 23, per a notice filed with the Office of the Maine Attorney General. In letters to potentially affected customers, the company said names and Social Security numbers may have been compromised. 

The notice is "woefully inadequate," the litigation said, because it doesn't outline who exactly was behind the attack, how Anniemac plans to prevent similar events in the future, or provide its customers with identity monitoring services.

"Remarkably, the defendant put the burden on plaintiff and class members to take measures to protect themselves, advising them "remain vigilant by reviewing your account statements and credit reports closely," the litigation claims.

This allegation clashes with Anniemac CEO Joe Panebianco's statement that the company did provide credit monitoring services to impacted customers, free of charge, in a previous interview with National Mortgage News.

The suit argues that Anniemac "failed to ensure…sufficient processes to quickly detect and respond to data security incidents," creating a significant risk of identity theft and other forms of financial harm for customers going forward.

Montenegro is asking for the court to certify his suit as a class-action and compel Anniemac to implement appropriate methods and policies to ensure that consumer data is safe and to disclose with specificity the type of PII compromised during the data breach.

The mortgage industry has been an attractive target in recent years to cyber criminals due to the value of transactions taking place and their long lists of clients.

Mr. Cooper, Loandepot, Fairway Independent Mortgage Corp. Planet Home Lending and many more have also recently been targeted by cyber criminals.

As a result, home finance regulators, such as the Federal Housing Administration and Ginnie Mae, have moved to tighten data breach requirements for nonbanks.

There has also been a surge in lawsuits filed by affected customers, with some recently reaching settlements. The amounts of these payouts vary significantly depending on the breach: Sage Home Loans recently agreed to a $925,000 settlement, while Loandepot reported losses in the eight-figure range to address the aftermath of its large-scale cyberattack last winter.