Evolve faces suit over massive data theft

A class action lawsuit claims a ransomware gang stole more than 20 terabytes of information from vendor Evolve Mortgage Services in a purported incident the company has not disclosed.

Former employee Rebekah Hardy sued Evolve last month in a Texas federal court for negligence, for failing to protect consumers' data in a breach which allegedly occurred in October. The lawsuit contains few specifics but refers to a known ransomware gang claiming responsibility for a major hack of the company's systems.

Evolve, formerly known as MRN3, offers a variety of origination, closed loan and third-party services, from underwriting to securitization support services. 

"Defendant had no effective means to prevent, detect, stop, or mitigate breaches of its systems—thereby allowing cybercriminals [to] roam undetected for at least three days and steal its current and former employees' and clients' private information," the lawsuit read. 

The complaint contains an image from an open-source ransomware intelligence site, in which the INC Ransom group posted alleged screenshots of the files it stole from Evolve. The hackers claim to hold data dating back to 2016 including Social Security numbers, scans of client identifications and full credit histories of customers. 

Evolve has not revealed any cybersecurity incident in several state attorneys general data breach databases, and did not return requests for comment Tuesday. In a response to Hardy's lawsuit last week, the company largely denied wrongdoing and demurred on the attack details.

"Defendant is without sufficient information to admit or deny the allegations in this paragraph," wrote attorneys for Evolve, in direct response to Hardy's description of the hack. 

An attorney for Hardy also didn't respond to a request for comment Tuesday. The plaintiff alleges a class spanning thousands of victims. Neither filing deadlines nor hearings have yet been scheduled in the month-old lawsuit. 

Evolve is also not related to the depository which suffered a significant data breach in 2024.

Vendor incidents cause pain across the industry

While there's no official confirmation as to whether Evolve suffered an incident, there's also no straightforward timeline to a public notice. 

Financial services firms are subject to cybersecurity disclosure requirements, although they often wait for breach investigations to unfold, and sometimes forgo reporting the incident altogether. Data breach litigation usually springs up immediately after a company discloses an incident, and Hardy's lawsuit is a rare, preemptive complaint. 

Whereas attacks on lenders typically compromise the personal identifiable information of mortgage applicants and borrowers, vendor hacks can affect business partners and company employees. One recent instance is a hack at vendor SitusAMC, which may have affected JPMorgan Chase and Citigroup.

Flagstar Bank also recently agreed to a $31.5 million settlement with over 2 million consumers affected by the bank's alleged use of an aging file transfer software, which allowed hackers to gain access to its systems.