Servicers say data breaches hit combined 4 million borrowers

The extensive data breach last fall at servicers owned by Bayview Asset Management impacted more than 4 million borrowers, according to new disclosures revealing a third company hit.

An unauthorized person accessed files including the names and Social Security numbers of 116,803 borrowers with Community Loan Servicing, the company revealed in a notice filed last month with the Indiana Attorney General's office. The hack at the Bayview subsidiary occurred at the same time as massive breaches at sister companies Lakeview Loan Servicing and Pingora Loan Servicing.

"This is part of the same incident," said a spokesperson for Bayview in a statement. "The review of the files indicated there were some data related to Community Loan Servicing and individuals were notified."

The Lakeview cyberattack ensnared 2,638,057 borrowers and the Pingora incident involved 1,268,348 consumers, according to public disclosures, bringing the total number of impacted customers at Bayview-owned servicers to 4,023,108.

Additional data was compromised for some Community borrowers including loan application, loan modification and servicing information, the Indiana filing said. It was unclear how many consumers had additional information exposed. The breach occurred between Oct. 27, 2021 and Dec. 7, and none of the servicers have revealed the type of attack nor the culprit. 

Community customers were offered complimentary Kroll credit monitoring, fraud consultation and identity theft restoration services for one year, according to the notice signed by Cristina Arroyo, senior vice president of Legal and Compliance for Community.

The hacks at the Bayview-owned servicers are the largest reported incidents in the mortgage industry in the past 12 months, over double the size of a breach last December at Flagstar Bank affecting 1.5 million customers. At least 79 financial services firms this year have reported data breaches involving at least 1,000 customers, according to publicly available data. The full scope of other data breaches, like a recent hack at KeyBank, have not been disclosed.

The Coral Gables, Florida-based Bayview is facing a class action lawsuit over the breaches in a Florida federal court, a complaint condensed from 22 impacted Lakeview and Pingora borrowers. The suit, in which plaintiffs accuse the servicers of failing to protect their personally identifiable information, does not name Community Loan Servicing, which disclosed its breach four months after the first class action suits were filed.

Attorneys for Lakeview and Pingora filed a motion to dismiss the class action suit last week, arguing plaintiffs haven't alleged harm as required by legal statutes, and pointing to a privacy policy in which Lakeview states it doesn't guarantee the security of PII.

Lawyers for plaintiffs and defendants didn't respond to requests for comment Friday. The sides have agreed to a lengthy case schedule, including discovery and mediation deadlines and a trial date in 2024, according to court filings.