Servicers say data breach legal filing is too revealing

Three servicers in a data breach lawsuit are seeking to block a filing from plaintiffs the firms say shares too many confidential details about the incident. 

Bayview Asset Management and its servicing subsidiaries filed their objection February 28 in federal court, the latest turn in a case centering on a data breach. Dozens of plaintiffs want to enforce a bevy of cybersecurity measures at the firms, while also receiving damages, for the hack in late 2021, which compromised the sensitive data of over 5 million consumers. A judge in December gutted all but one of their claims.

A proposed amended complaint, filed by plaintiffs in January, reveals more details around the cyber attack and Bayview's response. Impacted consumers suggest Bayview failed to follow industry-standard data security precautions. The 225-page filing features numerous redacted portions of information gleaned from confidential discovery, text hinting at details not usually disclosed in similar lawsuits across the industry. 

"The proposed amended complaint is replete with unnecessary and out-of-context quotes from dozens of confidential documents and, thus, violates the protective order," wrote attorneys for Bayview, referencing an earlier agreement to keep sensitive information out of public view.

The servicers are Community Loan Servicing, Lakeview Loan Servicing and Pingora Loan Servicing. A representative for Bayview and lawyers for both sides didn't respond to requests for comment on March 1. 

Bayview is accused of failing to encrypt personally identifiable information; neglecting to delete it after it was no longer needed; the information stored it in a vulnerable, internet-accessible environment, according to plaintiffs. The firm also allegedly failed to test its systems for Cobalt Strike, a cybersecurity tool used by both professionals and bad actors and by the purported Bayview perpetrator.

The proposed filing continually references discovery documents, with paragraphs beginning to discuss the company's internal cybersecurity discussions and protocols before redacted text follows. 

"Internal documents reveal a classic instance of "group think" and organizational inertia," the proposed complaint states.

Other public case filings from the past few months offer more clues into the incident, in which a hacker was reportedly in the servicers' systems for 41 days uninterrupted. 

A witness, in one deposition excerpt, confirmed to an attorney the "root cause" of the attack stemmed from an employee clicking a link in a work-related search result. A different witness in the same public excerpt said the perpetrator was never clearly identified. 

Other documents identify the cybersecurity businesses Bayview worked with over the course of the incident. The Mutlistate Mortgage Committee, made up of state mortgage regulators, requested post-breach reports from cybersecurity companies Mandiant and Protiviti, another filing states.

Bayview's latest motion also asks a federal judge to reject plaintiffs' attempt to add five more affected customers and additional claims to the lawsuit after agreed-upon deadlines to do so. Counsel for Bayview say a new breach of contract claim, which alludes to alleged data security agreements in mortgage servicing rights deals, is unfounded.

"Plaintiffs' allegation that these complex, multi-million dollar transactions are accomplished through 'standard agreements' is not remotely plausible," they wrote. 

The sides are meanwhile arguing in opposing motions over a subpoena for a third party technology firm which worked with Bayview through the incident. A jury trial date in the case has not been scheduled; a judge last year canceled the previous July 2024 schedule.

The Bayview case offers one of the more detailed looks into post-breach litigation amid a spate of class action complaints against mortgage firms reeling from major attacks. Lawsuits against KeyBank and Flagstar Bank over their respective incidents remain pending. 

Other legal action has been filed recently against firms disclosing attacks in the past few months including Loandepot, Mr. Cooper and Fidelity National Financial.