Citywide Home Loans, a mortgage company based in Utah with 800 employees and operations in 35 states across the U.S., reached a settlement in July 2023 for a $1.2 million lawsuit related to a data breach that occurred in November 2020. The incident, initiated by a ransomware attack on the company’s internal systems on November 18, 2020, led to an unauthorized user gaining access to personal identifiable information (PII) of over 18,000 current and former employees for a period prior to the attack. The attacker gained access to the corporate network through a VPN connection using the credentials of a Citywide employee. From there, the imposter moved laterally across the network. The compromised data included names, addresses, phone numbers, birthdates, and identification numbers of passports, driver’s licenses, credit cards, bank accounts, as well as medical information. Citywide promptly initiated an investigation with the assistance of outside experts who also helped in implementing additional security measures to increase their security posture in the future.
Basis of the Case
A class-action lawsuit was instigated against Citywide Mortgage, wherein the lead plaintiff and other class members contended that the mortgage lender demonstrated negligence in safeguarding its internal systems. This negligence allegedly paved the way for a cyber attacker to compromise personal data. Although Citywide steadfastly rejects any culpability related to the incident, the company opted for an out-of-court settlement which confers the following benefits to the affected individuals:
- Citywide pledges to reimburse all valid claims associated with economic losses up to $5,000 and lost time compensation capped at $200. Should the cumulative payout for all approved claims surpass $1,225,000, the payments will be decreased on a pro-rata basis.
- In addition, the Defendant will provide all affected parties with two years of credit monitoring and Identity Theft Protection Services and $1,000,000 in identity theft insurance at no cost.
Call to Action
The mortgage industry is a good example of how companies are integrating greater amounts of technology to streamline their business practices. Unfortunately, the accelerated rate of digital transformation is making it easier for threat actors to implement their attacks. What proves frustrating for many business leaders is the fact that despite increasing investments in security tools, attacks are becoming more prominent. It is becoming clear that acquiring more tools is not the complete answer to the increased cyber threats. While security tools are necessary, organizations must also pay ample attention to people and processes. Employees are both the first line of defense and represent the most significant vulnerability in any organization. Security is not solely the responsibility of the IT department. Effective cybersecurity relies on robust and well-documented processes. This could be anything from a patch management process to ensure that vulnerabilities in software are quickly fixed, an incident response process to react swiftly and efficiently to any security breaches, or a risk management process to prioritize the organization’s security efforts effectively. Without these processes, even the best tools and most knowledgeable people can fail to prevent or mitigate a cyberattack.