American Financial Resources PII Exposed in Data Breach Class Action

As a company that provides mortgage and real estate lending services, American Financial Resources, Inc. (AFR) collects and stores a great deal of sensitive personal information on its customers. The complaint for this class action alleges that AFR did not properly safeguard the personally identifiable information (PII) of consumers, employees, and former employees that it held in its systems, and says it should take responsibility for a data breach that occurred in its systems in December 2021.

The class for this action is all persons living in the US who received or were otherwise sent the AFR notice informing them that their data may have been compromised in the data breach.

According to the notices sent to attorneys general in various states, during December 6-20, 2021, AFR’s network was “accessed without authorization” by unknown third parties, exposing and permitting access to the PII it stored. The complaint alleges that the company’s investigation of the data breach ended on February 4, 2022.

The information accessed included names, Social Security numbers, account numbers, and, for some individuals, driver’s license numbers. “Upon information and belief,” the complaint says, “the PII was not encrypted prior to the data breach.”

The complaint alleges that “by obtaining, collecting, using, and deriving benefit from [the] PII, [AFR] assumed legal and equitable duties to those persons, and knew or should have known that it was responsible for safeguarding and protecting [the] PII from unauthorized disclosure or criminal hacking activity.”

It also alleges that AFR is responsible for the data breach, because of its negligence and its many failures, including failure to design and implement adequate security systems, failure to exercise reasonable care in hiring, supervising, and training its employees and agents, failure to comply with industry-standard security practices, and failure to comply with federal and state laws about security and privacy practices.

“Upon information and belief,” the complaint also claims that AFR was negligent and “failed to take basic security measures such as encrypting its data or following industry security standards. Moreover, [AFR] failed to recognize and detect that unauthorized third parties had accessed its network.” It claims that, with better security measures, it could have discovered the data breach sooner, or even prevented it altogether.

“In this era of frequent data security attacks and data breaches, particularly in the financial industry,” the complaint alleges, AFR’s “failures leading to the Data Breach are particularly egregious, as this Data Breach was highly foreseeable.”

Because AFR failed to prevent the data breach, the complaint claims that those whose information was stored in its system are now at risk of identity theft and fraud, now and for years to come.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Negligence, Your Privacy