Communications Litigation Today was a Warren News publication.
$12M-$17M Q1 Hit

Plaintiffs in LoanDepot Class Action Seek 3 Years' Credit Monitoring After Data Breach

Some 21% of data breach victims don’t realize their identity has been compromised until more than two years after it has happened, said a class action (docket 8:24-cv-00433) brought by three plaintiffs vs. loanDepot Friday in U.S. District Court for Central California in Santa Ana.

LoanDepot is offering data breach victims 24 months of credit monitoring and identity theft protection through Experian at no cost to them, said loanDepot's notice filed with the Maine attorney general's office. The plaintiffs are seeking three years’ free credit monitoring from the defendant among other damages.

In a Feb. 26 SEC filing, loanDepot said it expects the cyberattack to have a “material impact” on Q1 financial results but not on full-year results. The mortgage lender expects to record $12 million-$17 million of expenses related to the incident, said the filing.

Plaintiff Benjamin Soto of Sharpsburg, Maryland, noticed a “significant increase” in spam calls, texts and emails during January and February, following the Jan. 3-5 data breach that affected over 16.9 million loanDepot customers, said the complaint. Soto contacted the company and was notified of the breach; he contacted loanDepot again Thursday and was told he would soon receive a letter formally notifying him of the breach.

Plaintiff Cimarron Buser, a resident of Wellesley Hills, Massachusetts, and John Sedlacek of Pittstown, New Jersey, were notified by loanDepot of the breach and the impact to their personally identifiable information (PII) on Feb. 29, the complaint said. A Feb. 26 blog from the CyberRisk Alliance said ransomware gang Alphv/BlackCat claimed responsibility for the incident Feb. 16.

LoanDepot first reported the incident to the SEC Jan. 4, said a filing dated Jan. 8, saying it recently identified a cybersecurity incident affecting certain of its systems. The “unauthorized third party activity” included access to company systems and the encryption of data, it said. In response to the cyberattack, loanDepot “shut down certain systems and continues to implement measures to secure its business operations, bring systems back online and respond to the incident,” it said.

Also on Jan. 8, loanDepot posted to its website that it had taken certain systems offline and was “working diligently to restore normal business operations as quickly as possible (see 2401260053). The company retained a forensics expert and was working with law enforcement. LoanDepot gave staggered updates over the next couple of weeks, including four Jan. 18, telling customers when certain portals were back online. A Jan. 22 update said the company would notify affected individuals and offer credit monitoring and identity theft protection services.

Soto, plaintiffs and class members suffered actual damages including time related to monitoring their financial accounts for fraudulent activity, increased and imminent risk of fraud and identity theft, and lost value of their personal information, said the complaint. Plaintiffs and class members are now forced to spend additional time, effort, and expenses to review credit reports, monitor financial accounts, and monitor for fraud or identify theft “since the compromised information may include Social Security numbers,” it said.

Causes of action are negligence and negligence per se; breach of fiduciary duty, confidence and implied contract; intrusion upon seclusion and invasion of privacy; unjust enrichment; and violation of the New Jersey Consumer Fraud Act. Plaintiffs seek orders requiring loanDepot from engaging in the wrongful conduct described; to use appropriate policies for consumer data collection; “not less than three years” of credit monitoring; actual, compensatory, punitive, and statutory damages and penalties; attorneys’ fees and costs; and pre- and post-judgment interest. The company has no comment due to the pending litigation, a spokesperson emailed.