Loandepot faces class action over PII exposure during breach

A class action suit filed in California accuses Loandepot of failing to implement adequate measures to protect its customer data.

In early January, the lender and servicer reported some of its systems were brought down by a cyber attack, during which malicious actors gained access to the personal identifiable information of 16.6 million current and former customers.

On Monday, Loandepot announced it would be notifying individuals impacted by the data leak and will foot the bill for credit monitoring and identity protection services for them.

The suit, filed by Daroya Isaiah in mid-January, argues Loandepot "should have known of the serious risk and harm caused by a data breach" and was "obligated to implement reasonable measures to prevent and detect cyberattacks."

Isaiah claims since the cyber breach, she has seen an uptick in "spam phone calls or text messages; and noticed strange information or accounts on her credit report, which plaintiff believes could be attributed to the data breach." 

Loandepot declined to comment.

According to the complaint, this is at least the second cyber incident reported by the lender since 2022. Isaiah received a prior notice of a data breach in May 2023 regarding a cyber attack in August 2022, which also exposed customer data, the suit noted.

Loandepot's "inadequate data security procedures and practices" has created a serious risk to the plaintiff and the class, including both a short-term and long-term risk of identity theft and other fraud, the legal filing said.

The class action also alleges the California-based lender's practices violated Section 5 of the Federal Trade Commission, which prohibits "unfair ... practices in or affecting commerce" like failing to use reasonable measures to protect users' sensitive data.

Following the attack, Loandepot rebooted its website for Mellohome, the MyLoandepot customer portal and the HELOC portal, the company wrote on its website. Loandepot's servicing customer portal is also back online, but has limited functionality. 

Whether this incident will impact Loandepot's bottom line remains uncertain. The mortgage company has "not yet determined whether the cybersecurity incident is reasonably likely to materially impact the company's financial condition or results of operations," it said in a filing with the Securities and Exchange Commission Monday.

Apart from Isaiah's suit, Loandepot customers have complained across different social media channels that they cannot make payments on their mortgage.

Loandepot's breach is the latest in a string of attacks on companies in the financial services space, including mortgage lender and servicer Mr. Cooper, First American Financial and Fidelity National Financial.

Breaches that hit Mr. Cooper and Fidelity National Financial also resulted in customer data being exposed. Both companies are also facing class action suits from former and current customers.