Bayview to pay $26 million to settle data breach claims

Bayview Asset Management has agreed to a $26 million settlement to resolve data breach claims for a prospective class of around 5.8 million consumers. 

The sides published the agreement Wednesday in a Florida federal court, and it's subject to a judge's approval. The deal would close sprawling class action litigation filed in 2022, after Bayview's servicing subsidiaries disclosed a major cyberattack in late 2021. 

The settlement is also separate from a $20 million penalty state regulators imposed on Bayview last January over its handling of the incident. The hack and subsequent litigation, involving Lakeview Loan Servicing, Pingora Loan Servicing, and Community Loan Servicing, has no relation with Guild Mortgage, which Bayview purchased last year.

The servicer announced the settlement last November, although it hadn't revealed financial details. According to Wednesday's filings, the fund will reimburse consumers' documented out-of-pocket losses up to $5,000, and dole out cash for separate classes of California and nationwide consumers on a pro rata basis. The agreement also provides one year of identity theft monitoring and insurance for consumers valued at $32.95 per month. 

The parties reached the agreement as a motion for class certification was pending before the court. Earlier in the case a federal judge had gutted consumers' claims, but plaintiffs regrouped and were currently accusing Bayview of violating several state consumer protection laws.

Neither attorneys for both parties nor spokespersons for Bayview responded to immediate requests for comment Wednesday afternoon. 

How the massive settlement was reached

The case began with a cyberattack in October 2021, in which hackers were allegedly in the servicers' systems for 41 days uninterrupted. According to one deposition excerpt among hundreds of case filings, the hack may have stemmed from an employee clicking a link in a work-related search. 

The perpetrators of the hack were never identified in public documents.

An outside entity allegedly told Bayview that its systems were breached. Community, Lakeview and Pingora began to reveal the attack in successive public filings in early 2022, and data breach lawsuits began to pile up that year. 

The lawsuit involved nearly three dozen depositions between the sides, and attorneys reviewed over 564,000 documents combined, according to court filings Wednesday. The sides first discussed a settlement in 2023, and reached the agreement in their third meeting in November. 

The agreement also doesn't call for enhanced cybersecurity measures at Bayview, although the servicers already agreed to increased efforts and monitoring in the earlier settlement with regulators. 

If approved, the Bayview settlement would be among the largest cybersecurity deals with consumers in the mortgage industry in recent years. Loandepot in 2024 agreed to pay $25 million to consumers over a hack affecting 16.9 million consumers, while Flagstar Bank in November OK'd a $31.5 million settlement to resolve claims with over 2 million customers.