LoanDepot Customer Sees Uptick in Spam Calls Since Firm's Data Breach: Suit
San Diego County plaintiff Melissa Ryan has experienced an uptick in spam calls since an early January data breach at her mortgage lender, loanDepot, said her negligence class action Thursday (docket 2:24-cv-03630) Thursday U.S. District Court for Central California.
Ryan’s complaint noted loanDepot had another data security incident in August 2022, which it didn’t disclose until May 2023. Ryan received a notice of the January breach Feb. 23, the complaint said. The lender reported the cybersecurity in a Jan. 8 SEC filing.
The Irvine, California-based company updated the SEC filing Jan. 22, saying 16.6 million individuals were affected by the breach in which an unauthorized third party gained access to its systems. The updated notice and a news release said the company would notify affected individuals and offer credit monitoring and identity protection services at no cost to them. The boilerplate statement at the end of the release said the company “revolutionized the mortgage industry with a digital-first approach that makes it easier, faster and less stressful to purchase or refinance a home.”
LoanDepot's privacy policy states that it collects data from customers such as demographic information; Social Security and passport numbers; loan and bank account numbers; real estate-, loan-, insurance- and credit-related information; and financial information, including assets, savings and insurance. The company “adopted policies and procedures designed to protect your personally identifiable information [PII] from unauthorized use and disclosure,” it said, and it implemented physical, electronic and procedural safeguards to maintain the confidentiality of the PII in its possession.
The complaint cited a 2010 FTC report citing evidence that showed that technological advances have made it possible for hackers to take different PII elements from various sources and link them “to identify an individual, or access additional information about or relating to the individual,” it said. Computer programs may be able to “scan the Internet with wider scope to create a mosaic of information that may be used to link information to an individual in ways that were not previously possible,” it said.
Ryan and class members will have a “heightened risk of injury” from identity theft as a result of the breach, the complaint said. Though the FBI warned the real estate industry in 2017 of a “large spike in cyberattacks specifically targeting real estate companies,” loanDepot “ignored these warnings and risks and failed to invest in sufficient privacy and security protections,” it said.
In addition to negligence, Ryan alleges violations of California’s Consumers Legal Remedies and Customer Records acts; and its Business and Professional Code; plus breaches of contract, implied contract and fiduciary duty, unjust enrichment and invasion of privacy. She seeks an injunction requiring loanDepot to provide adequate security for the PII it collected from her and class members and that it implement reasonable security measures. She seeks awards of compensatory, consequential, incidental and statutory damages; restitution and disgorgement; credit monitoring and identity theft protection services; attorneys’ costs and expenses; and pre- and post-judgment interest. LoanDepot declined to comment Friday.