Citywide Home Loans agrees to $1.2M data breach settlement

A Utah-based national home lender will shell out over $1.2 million to settle a class-action lawsuit involving a ransomware attack and compromise of personal employee data.

Without admitting to any liability for the infraction, Citywide Home Loans agreed to the settlement in order to resolve the claims, which came after a November 2020 data breach. In the incident, an unauthorized outside individual gained access to the company's computer network and deployed ransomware, encrypting certain systems that contained the personal identifiable information of Citywide employees.

Included in the compromised data were Social Security numbers, passport and driver's license information and banking and credit card details. Citywide notified affected employees of the incident between February and April 2021. 

Marjorie Curtis, who served as the plaintiff for the class consisting of approximately 3,300 current and former staff members, filed the original lawsuit in October 2021, alleging negligence, breach of contract and invasion of privacy on the part of Citywide Home Loans.

The lender, which has headquarters in Sandy, Utah, did not respond to a request for comment from National Mortgage News prior to publication. Founded in 1998, Citywide is licensed in 35 states and employs more than 800 people. Stearns Lending entered into a shared-equity partnership deal with Citywide in 2018 before it was acquired by Guaranteed Rate in 2021. 

Under the terms of the settlement, individuals who were notified their data was compromised can claim up to $5,000 for economic losses incurred as a result of the cyberattack. Another $200 is available for lost time related to the incident. Citywide also agreed to provide two years worth of credit monitoring and identity-theft protection services from Kroll Associates. 

In order to receive benefits from the agreement, impacted parties must submit claim forms by Aug. 8. A final approval for the settlement is scheduled on Aug. 25.

The cyber incident at Citywide is one of several to have hit mortgage lenders and servicers in the past few years. Earlier in 2023, a noted hacker threatened to publish customer data he claimed to have obtained through cyberattacks on Academy Mortgage after that lender refused to pay any ransom. 

Also this year, Alvaria, a third-party technology vendor contracted by Carrington Mortgage Services became a victim of a ransomware attack that impacted over 50,000 people, with data including names, addresses, loan information and partial Social Security numbers compromised. It was the second attack on Alvaria in the space of a few months, following a late-2022 event. Cybersecurity experts have previously warned of the security threats sometimes coming through outside vendors.

The Federal Bureau of Investigation advises companies to avoid paying ransom following a cyberattack. Payment offers no guarantee data will be returned and could incentivize cyber criminals.