Breach Tracker

Data Breach Tracker: real estate & lending

A running look at notable data breaches across mortgage, lending, and title/settlement — and the controls that would have reduced the risk. Every entry links to a primary or reputable source.

2026
Jun 2026 · Mortgage lender · Southern California

Optimum First Mortgage — Southern California (Mortgage Lender)

  • Incident: Ransomware group “PEAR” claimed a June 19, 2026 attack and theft of ~9.3 TB of data (mortgage applications, income, employment history, tax records, SSNs, bank details).
  • Company stance: Disputed the volume; internal review found no evidence core loan-origination systems were infiltrated.
  • Aftermath: Proposed consumer class action alleging negligence and lack of encryption; law-firm investigations launched (e.g., Edelson Lechtzin LLP).
  • Cost: Not publicly disclosed (litigation ongoing).
  • Source: Claim Depot → · Morningstar / PR Newswire →
Feb 2026 · Wholesale / correspondent lender · Costa Mesa, CA

Plaza Home Mortgage — Costa Mesa, CA (Wholesale / Correspondent Lender)

  • Incident: Ransomware group “SilentRansomGroup” claimed a Feb 27, 2026 breach; initial reports cited ~54 users / 10 employees affected, later estimates put scope near 138,000.
  • Company stance: Disputed the higher figure; said security controls detected the access and it shut down the attack immediately.
  • Aftermath: Formal victim notification delayed until May 29, 2026 (via Simpluris); now facing class action lawsuits.
  • Cost: Not publicly disclosed (litigation ongoing).
  • Source: HousingWire →
2026 · Unconfirmed claim · Nationwide

Finance of America — Nationwide (Mortgage Lender / Servicer)

  • Incident: A ransomware gang claimed a hack; the company has not disclosed any incident itself.
  • Company stance: No disclosure made.
  • Aftermath: A consumer filed an early class action based solely on the gang’s claim.
  • Cost: Not publicly disclosed.
  • Source: National Mortgage News →
2025
Fall 2025 · Vendor breach · Industry vendor

SitusAMC — (Industry Vendor, not a direct lender)

  • Incident: Cyberattack in the fall of 2025; scope of impact on consumers, partner banks, and lenders undisclosed.
  • Cost: Not publicly disclosed.
  • Source: National Mortgage News →
Aug 2025 · Mortgage lender · New Jersey (22 states)

NJ Lenders Corp. — New Jersey (22 states)

  • Incident: Unauthorized network access Aug 18, 2025; confirmed exposure Sept 12, 2025 — names, SSNs, driver’s license numbers, DOB, financial account info.
  • Aftermath: Regulatory filings with Maine, Massachusetts, and Vermont AGs.
  • Risk-reduction: MFA, network segmentation, continuous monitoring, encryption of retained records.
  • Cost: Not publicly disclosed.
  • Source: Claim Depot (state AG filings) →
Jul 2025 · Third-party vendor · Mortgage lender

New American Funding — (Mortgage Lender)

  • Incident: July 2025 breach involving a third-party vendor, potentially compromising customer data.
  • Aftermath: Reported to the California Attorney General.
  • Cost: Not publicly disclosed.
  • Source: HousingWire →
Jul 2025 · Non-bank lender · Irvine, CA

American Lending Center — Irvine, CA (Non-bank Lender)

  • Incident: Ransomware attack exposing PII for ~123,158 people (names, DOB, SSNs).
  • Aftermath: Detected July 2025; investigation completed April 2026, delaying notifications.
  • Risk-reduction: MFA, segmentation, offline backups, faster detection / notification.
  • Cost: Not publicly disclosed.
  • Source: California Attorney General →
Jun 2025 · Mortgage lender · Virginia

McLean Mortgage Corporation — Virginia (Mortgage Lender)

  • Incident: Breach exposed personal and financial info for ~30,453 individuals (SSNs, account numbers).
  • Aftermath: Regulatory filings with Maine, Massachusetts, New Hampshire, and Vermont AGs.
  • Risk-reduction: MFA, encryption of loan files, phishing-resistant controls, prompt detection.
  • Cost: Not publicly disclosed.
  • Source: Claim Depot (state AG filings) →
Breach May 2025 · disclosed Mar 2026 · Melville, NY (49 states)

US Mortgage Corporation — Melville, NY (Mortgage Lender, 49 states)

  • Incident: Unauthorized network access May 13–14, 2025; exposed names, DOB, contact info, SSNs, financial / mortgage account info, and limited medical / insurance info.
  • Company stance: Not publicly disputed; engaged third-party cybersecurity experts upon detection.
  • Aftermath: Notice mailed March 5, 2026 — over 260 days after detection; class action filed March 23, 2026 (E.D.N.Y.) alleging unencrypted SSNs.
  • Cost: Not publicly disclosed (litigation ongoing).
  • Source: MPA →
Mar 2025 · Mortgage lender · California

Intelliloan, Inc. — California (Mortgage Lender)

  • Incident: RansomHub claimed an attack exposing names, addresses, SSNs, driver’s license / ID numbers, financial account numbers, and DOB.
  • Aftermath: Regulatory filings with California, Texas, and Massachusetts AGs.
  • Risk-reduction: Offline backups, EDR, least-privilege access, rapid containment.
  • Cost: Not publicly disclosed.
  • Source: Cybernews →
2024
Jan 2024 · Mortgage lender · Nationwide

LoanDepot — Nationwide (Mortgage Lender)

  • Incident: ALPHV/BlackCat ransomware attack; ~16.9M customers affected (names, DOB, SSNs); major operational disruption.
  • Risk-reduction: EDR, network hardening, offline backups, IR-plan readiness.
  • Cost: ~$27 million in reported incident-related expenses.
  • Source: SecurityWeek →
2023
Nov 2023 · Title & escrow · Nationwide

Fidelity National Financial — Nationwide (Title & Escrow)

  • Incident: Suspected ALPHV/BlackCat ransomware attack.
  • Aftermath: Multi-day operational disruption; closings delayed.
  • Risk-reduction: Hardened escrow systems, vendor security reviews, tested continuity plans.
  • Cost: Not publicly disclosed (operational / reputational losses from closing delays not quantified).
  • Source: Cybersecurity Dive →
Oct–Nov 2023 · Mortgage servicer · Nationwide

Mr. Cooper (Nationstar Mortgage) — Nationwide (Mortgage Servicer)

  • Incident: Intrusion Oct 30–Nov 1, 2023; forced payment systems offline; ~14.7M customers affected (names, addresses, SSNs, DOB, bank account numbers).
  • Aftermath: A Texas federal court later ruled affected borrowers had standing to sue.
  • Risk-reduction: Continuous monitoring, encryption, least-privilege access, formal cybersecurity program.
  • Cost: ~$25 million estimated response cost.
  • Source: BleepingComputer →
Breach Aug 2023 · disclosed Jan 2024 · settled 2026 · New York

Premium Mortgage Corporation — New York (Residential Mortgage Lender)

  • Incident: Targeted cyberattack between Aug 24–31, 2023, disclosed Jan 10, 2024; ~10,835 customers affected (names, SSNs, payment card and financial account info).
  • Aftermath: Class action settlement received preliminary court approval Jan 23, 2026; final approval hearing held May 14, 2026.
  • Cost: Settlement offers up to $5,000 per claimant for documented extraordinary losses, $25/hour for up to 4 hours of lost time, or a flat $50 alternative payment; total fund value not disclosed.
  • Source: ClassAction.org →
2021
Dec 2021 · Bank / mortgage lender · Nationwide

Flagstar Bank — Nationwide (Bank / Mortgage Lender)

  • Incident: Attackers accessed the corporate network — second major breach in a year; ~1.55M customers affected (names, SSNs).
  • Risk-reduction: Retiring vulnerable file-transfer tools, segmentation, faster detection, identity protection.
  • Cost: $31.5 million settlement covering both 2021 breaches.
  • Source: Cybersecurity Dive →
Breach 2021 · multistate settlement

Bayview Asset Management (+ 3 affiliates)

  • Incident: 2021 data breach; handling later scrutinized by multiple states.
  • Aftermath: Settled multistate allegations that its breach response failed to meet certain standards.
  • Cost: Settlement amount not disclosed in available reporting.
  • Source: National Mortgage News →
2019
May 2019 · Title & settlement · Nationwide

First American Financial — Nationwide (Title & Settlement)

  • Incident: EaglePro application flaw (IDOR) exposed ~885M document images (SSNs, financial data, driver’s licenses, 2003–2019).
  • Risk-reduction: Secure SDLC, access controls, vulnerability management.
  • Cost: SEC penalty $487,616; NYDFS penalty $1 million (total regulatory fines ~$1.49M; broader remediation costs not disclosed).
  • Source: U.S. SEC →
Mar 2019 · Mortgage banker · Multi-state

Residential Mortgage Services — Multi-state (Mortgage Banker)

  • Incident: Phishing compromised an employee email account containing applicant data.
  • Risk-reduction: MFA on email, phishing training, prompt investigation, regulatory compliance.
  • Cost: NYDFS fine of $1.5 million.
  • Source: NY Dept. of Financial Services →
Date undisclosed
Date undisclosed · post-merger · Mortgage lender

Pacific Residential Mortgage — (Mortgage Lender)

  • Incident: Ransomware attack discovered just weeks after completing a merger with an Ohio-based lender.
  • Cost: Not publicly disclosed.
  • Source: National Mortgage News →
Summaries are based on public reports from the linked sources and reflect information available at the time of writing. This page is provided for general educational purposes and is not legal advice or a statement about any company's current security posture.

Don't want to be the next headline?

Most of these incidents trace back to a handful of controls that were missing. A free 20-minute assessment shows you where your firm stands.

Book a Free 20-Minute Assessment