Planet Home Lending, Academy Mortgage sued (again) over PII breach

Litigation accusing mortgage lenders of failing to protect the personal identifiable information of customers continues to pour in. 

Most recently Planet Home Lending was hit with a class action suit, while Academy Mortgage was hit with two more. Both lenders disclosed their systems were breached last year and PII of customers was leaked as a result.

The suit against Planet Home Lending, filed in Connecticut by Jaime Mazzo Feb. 1, faults the company for not complying with industry standards in protecting systems that store customer information, as well as not being transparent in informing customers about the breach. 

Planet Home Lending's breach impacted 199,873 of its customers, the lender reported to the Office of the Maine Attorney General Jan. 24. The mortgage lender has blamed the breach, which took place on Nov. 15, 2023, on a vulnerability in a software program that Planet purchased from Citrix Systems. 

This is not the first instance that data has been leaked from the mortgage shop. Five months prior — in June 2023 –  another hack exposed the Social Security numbers of Planet's customers, according to court documents. 

The suit is calling for Planet Home Lending to step up its data security policies and practices, as well as provide free credit monitoring and identity theft insurance to customers. 

"Planet Home's policies and practices with respect to maintaining the security of plaintiff's and class members' PII were reckless, or at the very least, negligent," Mazzo's suit argues.

Meanwhile, the two class actions filed in Utah against Academy Mortgage say the lender failed to promptly report the incident and maintained PII  "in a reckless manner." 

Over 280,000 customers had their birth dates and Social Security numbers compromised during the breach on March 21, 2023, though customers were only notified of it on Dec. 20, 2023. In total, there are currently three class action suits pending against the lender over this event.

Two of the suits specifically criticize Academy Mortgage for taking too long to report the attack to customers.

The delay harmed borrowers because they were "unable to immediately take affirmative measures to prevent or mitigate the resulting harm," said one suit filed by Celeste Allen on Jan 25. The plaintiff, an Academy customer, also mentions the mortgage lender has failed to state "what specific steps Academy took following the data breach to secure its systems and prevent future cyber attacks." 

Another suit filed by Lisa Kucherry on Jan. 31 argues Academy's offer of 12 months of identity monitoring services is "wholly inadequate" because it fails to provide sufficient compensation and doesn't take into account that customers will likely face multiple years of ongoing identity theft.

Academy Mortgage and Planet Home Lending did not respond to a request for comment.

An amendment to the Federal Trade Commission's Safeguards Rule will soon have all mortgage lenders on the hook for reporting large data breaches in a timely manner.The FTC's rule will require nonbanks to notify the agency no later than 30 days after they discover a breach involving the information of at least 500 consumers. The notices must include information about the breach, such as the number of consumers either affected or potentially impacted. 

The reporting requirement goes into effect April 27, 2024.