Nations Direct agrees to settlement over 2023 data breach

Wholesale lender Nations Direct Mortgage will settle a class action suit resulting from a 2023 cyberattack that led to the leak of personal data belonging to more than 83,000 consumers.

The Henderson, Nevada-based business first began notifying victims and regulators in the months following a one-day cyber incident took place in late December 2023. Following the data breach, the company encountered multiple lawsuits, with the estimated number of affected consumers across the U.S. totaling 83,108. Initial court filings reported the monetary amount of damages would exceed $5 million.

Under terms of the settlement, Nations Direct will reimburse each class member up to $2,750 for losses associated with the incursion, including any that led to fraud and identity theft. A subclass of California residents is also eligible for an additional payment of $75.

The lender also agreed to make available identity-monitoring services for up to 24 months, extending an initial similar offer made when it delivered the first notifications. The service includes $1 million in ID-theft insurance.

Nations Direct had not responded to a request for comment prior to publication.

In agreeing to settle, Nations Direct made no admission of fault or wrongdoing connected to the event, but plaintiffs alleged that the lender's failure to enact proper cybersecurity measures led to the data breach. Personal data that could be potentially compromised include Social Security numbers, birth dates and private banking information. 

Legal headaches following data incidents

The Nations Direct incident occurred during a period of elevated cybersecurity threats that plagued the real estate community in late 2023 and early 2024. Attacks struck businesses large and small, including mortgage companies Mr. Cooper and Loandepot as well as title firms First American and Fidelity National. 

Each event subsequently brought with it a flurry of class action litigation that could extend for years. Currently, Mr. Cooper, which was purchased by Rocket earlier this year, is still in the midst of various legal battles resulting from its October 2023 cyberattack.

Other companies, like Nations Direct and Loandepot, chose to settle, with the latter coming to terms of a legal agreement at the end of 2024. 

Meanwhile, in October, Flagstar Bank also signed off on one of the largest data-breach settlements for two separate incidents that took place in 2021. In November, Bayview Asset Management likewise agreed to settle a long-running suit resulting from a data hack prior to the close of its merger with Guild Mortgage. 

The Nations Direct announcement also comes weeks after Towne Mortgage disclosed a summer 2024 cyber event that resulted in compromised data of at least 474 households. Several suits have already been filed against the Michigan-based lender since the mid-November notification. 

While the frequency of reported mortgage data breaches has subsided from the rapid pace of two years ago, the ongoing threat remains in the lending industry. In addition to Towne, residential lenders targeted by cybercriminals in 2025 include the likes of Go Mortgage and New American Funding.