Pingora Mortgage Servicing Data Breach Class Action

This class action brings suit against two companies, Pingora Loan Servicing, LLC and Pingora Asset Management, LLC. The complaint alleges that the two companies bear responsibility for a data breach that took place near the end of 2021. The complaint alleges the data breach was able to take place because of Pingora’s “unlawful, willful and wanton failure to reasonably protect” the personally identifiable information (PII) stored in its systems.

The class for this action is all persons whose PII was compromised as a result of the data breach at Pingora, between October 27 and December 7, 2021.

Pingora provides loan servicing tasks for mortgage lenders, including duties such as payment collection. In this role, Pingora collects and keeps on file a great deal of PII related to the borrowers of the mortgages it services and their applications, modifications, and servicing.

Pingora discovered that unauthorized parties had intruded into its computer systems in December 2021. It hired third-party specialists to help it investigate the attack, and found that it had taken place between October 27 and December 7, 2021. Pingora reported that the PII exposed to the cybercriminals included names, addresses, Social Security numbers, loan numbers, and other information relevant to loan applications, modifications, and servicing.

Unfortunately, Pingora did not provide the individual victims with timely notice of the data breach. The two plaintiffs in this case, Michael Kassem and Kimberley Rowton, both were victims of the cybercriminals before they even received notice of the data breach.

Pingora was servicing a mortgage for Kassem that he had taken out in 2019. Among the PII he provided to Pingora were financial account information, investment account information, information on other loans, and employment and income information.

The complaint alleges, “In or around December 2021, Plaintiff Kassem was notified by the Georgia Department of Labor that someone had filed a fraudulent unemployment claim using his Social Security number. Kassem did not receive a notice of the data breach until around four months later, around April 2022.

For Rowton, Pingora was servicing a mortgage buyout that she had entered into sometime around April 2021. She had provided Pingora with financial account information and statements, investment account information and statements, information on other loans, and employment information such as W-2s and tax reports.

The complaint alleges, “In or around January 2022, Plaintiff Rowton became aware that someone had used her PII to access one of her investment accounts and fraudulently transferred money from it.” Rowtin did not receive a notice of the data breach until around three months after this event, around April 2022.

The complaint alleges that Pingora could have prevented the data breach. It quotes Lucy Thompson’s Data Breach and Encryption Handbook as saying, “In almost all cases, the data breaches that occurred could have been prevented by proper planning and the correct design and implementation of appropriate security solutions.”

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy