Three servicers in a
A proposed amended complaint, filed by plaintiffs in January, reveals more details around the cyber attack and Bayview's response. Impacted consumers suggest Bayview failed to follow industry-standard data security precautions. The
"The proposed amended complaint is replete with unnecessary and out-of-context quotes from dozens of confidential documents and, thus, violates the protective order," wrote attorneys for Bayview, referencing an earlier agreement to keep sensitive information out of public view.
The servicers are Community Loan Servicing, Lakeview Loan Servicing and Pingora Loan Servicing. A representative for Bayview and lawyers for both sides didn't respond to requests for comment on March 1.
Bayview is accused of failing to encrypt personally identifiable information; neglecting to delete it after it was no longer needed; the information stored it in a vulnerable, internet-accessible environment, according to plaintiffs. The firm also allegedly failed to test its systems for Cobalt Strike, a cybersecurity tool
The proposed filing continually references discovery documents, with paragraphs beginning to discuss the company's internal cybersecurity discussions and protocols before redacted text follows.
"Internal documents reveal a classic instance of "group think" and organizational inertia," the proposed complaint states.
Other public case filings from the past few months offer more clues into the incident, in which a hacker was reportedly in the servicers' systems for 41 days uninterrupted.
A witness, in
Other documents identify the cybersecurity businesses Bayview worked with over the course of the incident. The Mutlistate Mortgage Committee, made up of state mortgage regulators, requested post-breach reports from cybersecurity companies Mandiant and Protiviti, another filing states.
Bayview's latest motion also asks a federal judge to reject plaintiffs' attempt to add five more affected customers and additional claims to the lawsuit after agreed-upon deadlines to do so. Counsel for Bayview say a new breach of contract claim, which alludes to alleged data security agreements in mortgage servicing rights deals, is unfounded.
"Plaintiffs' allegation that these complex, multi-million dollar transactions are accomplished through 'standard agreements' is not remotely plausible," they wrote.
The sides are meanwhile arguing in opposing motions over a subpoena for a third party technology firm which worked with Bayview through the incident. A jury trial date in the case has not been scheduled; a judge last year canceled the previous July 2024 schedule.
The Bayview case offers one of the more detailed looks into post-breach litigation amid a spate of class action complaints against mortgage firms reeling from major attacks. Lawsuits against
Other legal action has been filed recently against firms disclosing attacks in the past few months including