Academy Mortgage accused of dragging feet in data breach alert

Academy Mortgage is accused of slow-walking its effort to inform customers of a data breach that took place in mid-2023, which has made them vulnerable to identity theft.

A class action suit filed in the state of Utah by a former borrower alleges Academy lost control of its computer network and of highly sensitive personal information on March 21, 2023, but reported it to customers on Dec. 20, 2023, "an appalling nine months after the data breach occurred."

A little over 280,000 customers had their birth dates and Social Security numbers compromised during the breach, a notice filed by Academy to the Office of the Maine Attorney General shows.

The plaintiff, Lazaro Stern, blames Academy for failing to train its employees on cybersecurity, neglecting to adequately monitor its agents, contractors, vendors and suppliers handling PII and not maintaining reasonable security safeguards to protect customer data.

All of the above rendered the Utah-based mortgage lender an "easy target for cybercriminals," the suit alleges. 

Academy Mortgage did not immediately respond to a request for comment. 

BlackCat, also known as Alphv, took credit for the data breach and has threatened to release customer data if a ransom is not paid. It is unclear whether the mortgage lender paid said ransom or if data was ever released to the dark web. International authorities in December seized the ransomware gang's dark web leak internet site. 

BlackCat has also taken credit for a November attack on Fidelity National Financial.

According to Stern's suit filed Jan. 5, Academy's breach notice was unclear about the nature of the cyber attack and the threat it posed, leaving out information regarding why it took so long for the lender to notify customers.

The mortgage company's failure to report the incident in a timely manner "made the victims vulnerable to identity theft without any warnings to monitor their financial accounts or credit reports to prevent unauthorized use of their PII," the filing states. In doing so, Academy "violated state law and harmed an unknown number of its current and former consumers" and "betrayed" the trust of customers by not having up-to-date security practices to prevent a cyber attack, Stern's suit said.

Academy in a consumer notice mailed Dec. 20 wrote it wiped and rebuilt affected systems and has taken steps to bolster network security. "We are also reviewing and altering our policies, procedures and network security software relating to the security of our systems," it said.

The mid-sized mortgage lender boasts over $35 million in annual revenue, according to the suit. Academy is licensed to operate in all 50 states and in Washington D.C.