Following revelations last month of a data breach affecting both consumers and employees, Plaza Home Mortgage is already facing at least two potential class action lawsuits.
Plaintiffs in two separate cases filed their claims in California Southern District court last week after the San Diego-based wholesale and correspondent lender initially sent out notices on May 29. In correspondence sent to potentially affected parties, the company revealed a mid-February
The breach was discovered on March 3, according to a data breach report filed with the Office of the Maine Attorney General. The number of people affected nationwide totaled 137,976, the report said.
"We are very sorry for any concerns that this incident has caused our customers and employees. We will continue to monitor our security systems to safeguard our customers' and employees' information and privacy," Plaza CEO Kevin Parra said in a press statement.
A plaintiff seeking to represent a class of consumers and mortgage applicants took issue with the amount of time Plaza took to disclose the incident, with one claiming they had still not been contacted or offered remediation at the time of the complaint.
"Defendant deprived plaintiff and class members of the earliest opportunity to mitigate their damages caused by the data breach by waiting more than three months to notify affected individuals," attorneys representing litigant Kevin Grubb wrote on June 4.
In a separate filing, lawyers for plaintiff April Powell, who lodged the claim on behalf of former and current employees, also said the data breach may have occurred far earlier than reported.
"After extensive analysis, defendant determined that the data breach occurred on Sept. 12, 2025," Powell's lawyers wrote. Attorneys noted the number of individuals with compromised PII in the employee class totaled more than 40,000.
Plaza disputes ransomware claim
Cybersecurity infiltrator SilentRansomGroup claimed responsibility for the attack on February 27, according to the threat intelligence platform, Ransomware.Live, attorneys said. The alleged perpetrator also goes by names, such as Luna Moth, Chatty Spider and UNC3753, FBI records show.
Plaza executives refuted that claim, explicitly stating it involved unauthorized access to a single employee's computer "and was not a ransomware attack." Other mortgage lenders, though,
In the Powell case, the plaintiff's lawyers did not hold back in accusing the company of suboptimal cybersecurity measures.
"Defendant maintained, used, and shared the PII in a reckless manner. In particular, the PII was used and transmitted by defendant in a condition vulnerable to cyberattacks," they wrote.
Plaza declined comment on either case, noting it was unable to speak about ongoing litigation.
Plaintiffs request third-party auditor
In the late-May announcement, Plaza said it had sent letters via U.S. mail specifically to those it believed were impacted. It also set up a designated website and call center to provide information for concerned consumers and employees.
The company also reported it would provide credit-monitoring and identity-theft services from security-response firm CyEx through its Financial Shield Complete program to parties whose information was compromised.
In the two cases, plaintiffs said they would seek class certification for their lawsuits and demand a jury trial, along with a still-unspecified amount of monetary damages. Estimated claims for each filing total more than $5 million, which would qualify the cases for class action status.
Plaintiffs also asked the court to impose requirements for a third-party auditor to oversee security monitoring and testing. Both are seeking the appointment of a third-party assessor to evaluate and attest to Plaza Home's compliance with the final order on an annual basis.
