Optimum First hit with class action after recent data breach

Following the disclosure of a mid-June data breach, Optimum First Mortgage now faces a proposed consumer class action lawsuit.

In documents filed this week, Optimum First customer Diane Adams said she seeks to represent a class of consumers who suffered harm from alleged negligence and unjust enrichment on the part of the Southern California-based lender. The case was filed in California Central District Court. 

Lawyers for Adams, a Philadelphia resident, claim Optimum First had the means to protect personally identifiable information but failed to invest in the necessary resources. 

"Had the information been properly encrypted, the data thieves would have exfiltrated only unintelligible data," the documents stated. Adams' attorneys also described Optimum First's data security measures as "woefully inadequate," making a cyber incident foreseeable. 

"There is a close causal connection between defendant's failure to implement security measures to protect plaintiff's and class members' private information, and the harm, or risk of imminent harm, suffered by plaintiff and the class," they further argued.

A ransomware group claimed on dark web channels that it had attacked the lender and gained access to a large volume of data.  Revelations of the data breach, which took place around June 15th, were made public later the same week, with the group threatening to release private information online.

Following the announcement, cybersecurity platforms estimated 9.3 terabytes of Optimum First data had been compromised. The company's leaders disputed that number last week, according to their own internal investigation. 

The lender had not responded to a request for comment about the newly filed lawsuit before publication. In a statement last week, officials underscored that its review had not shown evidence of infiltration of loan origination and application software systems. 

What the plaintiff seeks

Along with seeking class certification, Adams' lawyers are also requesting appropriate monetary relief, including actual and statutory damages, as well as related legal fees. Adams is also asking the court to issue injunctive relief that would mandate Optimum First to immediately employ protocols consistent with law and industry standards to protect private customer data. 

"Plaintiff has experienced anxiety and increased concerns for the loss of her privacy, as well as anxiety over the impact of cybercriminals accessing and using her private information," the filing said. 

The cyberattack on Optimum First was the second incident of note to emerge in the past several weeks, after news broke of a similar incident hitting San Diego-based wholesale lender Plaza Home Mortgage in the first quarter of 2026. In that case, the number of potentially affected individuals approached 138,000 and includes both customers and employees. 

Like Optimum First, companies suffering from cyberattacks this year have been met almost immediately with class action litigation, with some even arriving before public disclosure.

Last week, appraisal management firm SitusAMC agreed to resolve a class action case it was facing after being struck by a major incident in late 2025. The provider of loan-level data to financial institutions, including large banks, will pay out $5.3 million to almost 663,000 members affected by a November 2025 breach.