Financial firm Lower, LLC offers mortgages, home loans, and refinancing for individuals and businesses. But the complaint for this class action alleges that the company did not protect the personally identifiable information (PII) of its customers, even storing the information without encryption, leading to a data breach.
The class for this action is all persons Lower, LLC identified as being impacted by the data breach, including all those who were sent a notice of the data breach.
On December 14, 2021, the complaint alleges, Lower discovered “unusual activity” in its systems, and three days later, it determined that an unauthorized party had stolen customer data. However, Lower did not send out a Notice of Data Incident until approximately six months later, on or about May 27, 2022.
The complaint alleges that hackers got into the systems and took out data between December 10 and December 14, 2021. But that wasn’t all, the complaint says: “The letter further stated that Lower had also identified suspicious activity in its employee email accounts between September 6, 2021 and December 16, 2021. Lower also stated that it did not identify, until April 28, 2022, that consumers’ names and Social Security numbers had been impacted by the Data Breach.”
Lower also told customers that it keeps dates of birth, financial account information, and driver’s license information on file, the complaint says, and that these may also have been taken in the data breach.
Lower required that customers provide it with private information in order to do business with the company, the complaint alleges, and customers in turn “relied on the sophistication of [Lower] and its network to keep their PII confidential and securely maintained, to use this information for business purposes only, and to make only authorized disclosures of this information.”
The complaint claims that the Notice did not identify the method the hackers used to gain access to Lower’s systems, the specific steps Lower took to secure its email system, or the true scope of the intrusion into its systems between September and December 2021.
In fact, the complaint alleges, Lower has not given the individual victims enough specific information about the breach. It claims the company “speaks in generalities and equivocations, claiming that it only knows that ‘it is possible [additional information we maintain] may have also been on an involved system,’ and ‘the ongoing review of the involved Lower systems identified your name and [S]ocial [S]ecurity number.’”
According to the complaint, Lower did not follow recommendations for data security set forth by the US Government, the US Cybersecurity & Infrastructure Security Agency, or the Microsoft Threat Protection Intelligence Team.
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Lower Fails to Protect Customer PII Complaint
July 27, 2022
Financial firm Lower, LLC offers mortgages, home loans, and refinancing for individuals and businesses. But the complaint for this class action alleges that the company did not protect the personally identifiable information (PII) of its customers, even storing the information without encryption, leading to a data breach.
Lower Fails to Protect Customer PII ComplaintCase Event History
Lower Fails to Protect Customer PII Complaint
July 27, 2022
Financial firm Lower, LLC offers mortgages, home loans, and refinancing for individuals and businesses. But the complaint for this class action alleges that the company did not protect the personally identifiable information (PII) of its customers, even storing the information without encryption, leading to a data breach.
Lower Fails to Protect Customer PII Complaint