One of the largest loan-servicing companies in the nation, Lakeview Loan Servicing LLC, is facing at least a dozen civil lawsuits, all seeking class-action status, in the wake of a major cyberattack that compromised the personal data of the mortgage borrowers the company serves.
That data breach, revealed by Lakeview in mid-March, targeted the personal information of some 2.5 million borrowers, including their Social Security numbers.
The pending lawsuits, 11 of which have been consolidated into a single master case in federal court in Miami, seek unspecified monetary damages, including attorney’s fees and court costs. Other relief sought includes an order requiring Lakeview to protect, via encryption, all data collected in accordance with federal and state laws.
Although the class-action pleadings so far list no specific dollar amount as part of damages sought, the end result for Lakeview could be very expensive.
Past litigation filed against financial companies victimized by similar cybercrimes has resulted in settlements ranging from $120 million to $700 million — including penalties from regulators; class-action monetary settlements; and identity theft provisions and insurance for affected class members.
The pending litigation against Lakeview points out that the data breach took place from Oct. 27, 2021, to Dec. 7, 2021, but Lakeview did not figure out what data had been compromised until Jan. 7, 2022 — in the wake of retaining an investigation team to identify the data accessed.
“Then LLS [Lakeview Loan Servicing] sat on the information for over a month — failing to disseminate data-breach consumer notifications until March 18, 2022,” a lawsuit filed by Andrew Guarino of Massachusetts alleges.
Another lawsuit, filed by Texas resident Stephenie Stone, claims the data compromised includes “names, addresses, loan numbers, and Social Security numbers.”
“[Lakeview] sent templates of the notice of data breach letter to state attorneys general,” Stone’s litigation alleges. “Specifically, [Lakeview] sent a template of the notice of data breach letter to the Maine Attorney General and identified that approximately 2,537,261 individuals … had their PII [personally identifiable information] accessed, exfiltrated [withdrawn surreptitiously], and/or compromised on the data breach.
“The Texas Attorney General’s Office notes the data breach was published to its website on March 21, 2022, and affected 255,762 Texans.”
Both Guarino’s and Stone’s cases have been consolidated in federal court in Florida, along with nine other class-action cases filed so far — with the South Carolina case still pending separately. The litigation claims Lakeview should have better protected its customers’ data, given the known threat from cybercriminals.
“Over 62% of the 164 million sensitive records exposed in data breaches in 2019 were exposed in … 108 breaches in the banking/credit/financial sector,” the Guarino litigation states. “The 108 … financial sector data breaches reported in 2019 exposed 100,621,770 sensitive records, compared to 2018 in which only 1,778,658 sensitive records were exposed in financial-sector breaches.
“… Social Security numbers, for example, are among the worst kind of personal information to have stolen because they may be put to a variety of fraudulent uses and are difficult for an individual to change.”
Another lawsuit that is now part of the consolidated case in Florida federal court, filed by California resident Jennifer Morrill, states that personally identifiable information is a high-value commodity in the criminal world, “as evidenced by prices they will pay through the dark web.”
“Numerous sources cite dark web pricing for stolen identity credentials,” Merrill alleges in her litigation. “For example, personal information can be sold at a price ranging from $40 to $200, and bank details have a price range of $50 to $200.
“Experian reports that a stolen credit or debit card number can sell for $5 to $110 on the dark web. Criminals can also purchase access to entire company data breaches from $900 to $4,500.”
Attorneys for Lakeview did not respond to a request for comment. Lakeview pleadings so far have centered on procedural moves over adding attorneys and to consolidate the pending cases, and similar cases yet to be filed, into master case in U.S. District Court in Miami.
Lakeview, based in Coral Gables, Florida, is part of the Bayview Companies and a subsidiary of Bayview MSR Opportunity Master Fund LP. It also is an affiliate of Bayview Asset Management, a certified minority-owned and private equity firm with hedge fund holdings.
As of May, Lakeview ranked nationally as the fifth largest servicer of agency-backed loans (Fannie Mae, Freddie Mac and Ginnie Mae). The company controls 4.6% of all agency loans being serviced — with a $374.8 billion portfolio based on the total unpaid-principal loan balance, according to a recent report from mortgage-data analytics firm Recursion. Overall, according to its website, Lakeview claims to be the fourth-largest mortgage loan servicer in the country,
Past settlements in data-breach cases involving compromised personal and/or business information include Capital One, $190 million for members of the class, in addition to $80 million to settle claims by regulators; Morgan Stanley, $120 million, including civil penalties paid to regulators; and Equifax, $700 million to settle claims by consumers and regulators.
The dozen federal civil lawsuits filed in reaction to the Lakeview data breach to date, each of which make similar claims and seek similar damages, accuse Lakeview of negligence, breach of contract and fiduciary duty, unjust enrichment as well as violations of state consumer privacy and unfair business practices laws.
All but one case is already filed in U.S. District Court in Miami, with the outlier filed in U.S. District Court in South Carolina in Spartanburg. In that case, there is a pending motion filed by Lakeview to consolidate the case with the master case now pending in federal court in Miami or otherwise stay the case pending the outcome of the master case.
Since the federal judge in Florida ordered the cases to be consolidated in U.S. District Court in Miami, an additional two lawsuits have been folded into the original nine cases, with the potential for future cases filed around the country to be consolidated with the master case as well. All the cases so far are seeking class-action certification, including the case in South Carolina not yet part of the consolidated action.
“Particularly in cases involving class actions, the court has broad discretion to transfer and consolidate cases that involve the same questions of law and fact,” said Stephan Rogers, a partner with Rogers & Elliott PLLC., a San Antonio, Texas-based law firm specializing in civil litigation, civil appeals and real estate law. “Here, the Florida court is consolidating the cases filed there for purposes of pre-trial proceedings — primarily discovery and pre-trial motions.
“With respect to the South Carolina motion to transfer, if the plaintiffs do not oppose the motion, it will be granted. If the motion is opposed, it will be up to the court to decide whether to transfer venue to Florida ‘for the convenience of parties and witnesses, in the interest of justice,’ in accordance with the change of venue statute.”
Absent a quick settlement, the Lakeview case, including appeals, could take years to play out, however.
The Capital One litigation, which centered on a 2019 data hack that affected 98 million U.S. residents and compromised some 140,000 Social Security numbers and 80,000 bank account numbers, took more than two years to settle. The Equifax data-breach occurred in 2017, affecting 147 million people, including compromising Social Security numbers. An appeal in that case was finally resolved in the summer of 2021, upholding the class-action settlement.
The problem of cybercrime is not going away anytime soon, cybersecurity experts stress. If measured as a country, the cost of cybercrime globally would represent the third-largest nation on earth, behind the U.S. and China, according to Marianne Bailey, a partner at cybersecurity firm Guidehouse and former deputy national manager for national security systems at the National Security Agency, better known as the NSA.
“In 2021 there were predicted damages of $6 trillion in U.S. dollars globally.” Bailey said during a panel discussion on cybercrime at a recent Mortgage Bankers Association (MBA) convention in New York.
“Global cybercrime costs are expected to grow by 15% per year over the next five years reaching $10.5 trillion in U.S. dollars annually by 2025,” Bailey added. “We’re in this huge digital ecosystem. We’re becoming more and more digitally connected, with everything that we’re doing in life, and so all that stuff is up for grabs by cybercriminals.”
Bailey said cybercrime is still perpetrated by lone wolves, but increasingly it’s the domain of organized crime and nation-state backed cybercriminals — and she singled out Russia as one of those nation states.
“People don’t realize that there has been a low-level cyber war for decades,” she said. “So, they’re getting into everything. They’re very, very sophisticated.”
Jason Doshi, CEO and co-founder Paymints.io, which provides a digital payment platform for real estate transactions, also was part of the panel at the recent MBA convention. He said loan-servicing companies are a target-rich environment for cybercriminals.
“They have sensitive client information. They have the credit profiles. They have banking information because they are collecting payments,” Doshi said. “They are a huge target.”
Doshi added that as loan servicing becomes “more and more digital,” it becomes “more vulnerable” to cyberattacks.
“I was speaking with someone from one of the largest servicers in the country, and they’re saying [only] 8% of their clients are actually still requesting paper statements,” Doshi said. “So, they don’t even want a paper statement in the mall anymore. It’s all digital.”