Mortgage firms sued over breach impacting 100,000 customers

A pair of customers are suing Fulton Bank and a mortgage insurance firm for failing to protect their loan information and Social Security numbers in a large data breach that has also led to litigation against KeyBank. 

Pennsylvania residents Scott and Margaret Sheckard accuse the depository and Overby-Seawell Company of negligence, and among other counts, in a class action complaint filed last week in the U.S. District Court for the Northern District of Georgia. OSC provides ongoing verification of residents' property insurance coverage, according to a disclosure.

The hack of OSC's servers between May 26 and July 5 laid bare the personally identifiable information of 100,772 Fulton Bank customers, the lender's parent company, Fulton Financial Corporation, said in a disclosure last month with the Office of the Maine Attorney General. The bank's servers were unaffected by the incident, a spokesperson for Lancaster, Pennsylvania-based Fulton Bank confirmed in a statement Monday.

Plaintiffs seek damages in excess of $5 million, according to the lawsuit. OSC in a statement confirmed its response to the incident but didn't respond to the lawsuit accusations. An attorney for the Sheckards didn't respond to a request for comment.

The cyberattack also affected similar information of an unknown number of KeyBank customers, one of who filed a similar suit against the institutions last month in an Ohio federal court. Four more plaintiffs have since joined that complaint and a summons has been issued to KeyBank.

OSC discovered suspicious activity on some of its computer systems July 5, and launched an investigation with third-party forensic specialists, according to its Maine notice. It learned July 11 about information stolen by unidentified culprits. The method of attack was only described by Fulton as a "external system breach (hacking)". 

Any relationship between the Sheckards wasn't disclosed in the lawsuit, and the complaint didn't confirm their relationship with the depository.

"[Scott Sheckard] would have not sought a loan from or provided his PII to Fulton had he known that Defendants would not adequately protect his PII," the suit said. 

The lawsuit points to privacy policies on the companies' websites, including a Fulton Bank policy that states the firm applies technical security measures applicable with federal and state laws. 

Fulton Bank originated $4.2 billion in residential mortgages in the second quarter, an increase of $257 million, or 6.5% from the prior quarter, according to its most recent earnings statement. The bank counts over 200 branches across Delaware, Maryland, New Jersey, Pennsylvania and Virginia. 

The OSC incident is the latest major data breach at a mortgage firm this year, following major cyberattacks at lenders, servicers and other vendors. Currently, the breaches are reported to state attorneys general offices; but a new regulation created in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 will soon require depositories to report significant cybersecurity incidents within 72 hours. The Cybersecurity and Infrastructure Security Agency is accepting comments regarding the rule by November 14.