A former employee is now suing US Mortgage after a breach allegedly exposed highly sensitive personal data.
That alone is damaging.
But the details in the lawsuit are what security leaders in mortgage should really pay attention to.
According to the complaint, US Mortgage detected suspicious activity on May 14, 2025.
Employees were reportedly not notified until March 2026.
That gap matters.
Because this was not minor data. The lawsuit says the exposed information included names, birthdates, government identification numbers, mortgage account details, and limited protected health information. In other words, exactly the kind of data that creates long-tail identity theft and fraud risk for years, not weeks.
The plaintiff, former employee Richard Bernich, is alleging that the breach was both foreseeable and preventable. The complaint claims US Mortgage failed to implement industry-standard protections like data encryption and multifactor authentication, and also failed to properly delete data that no longer needed to be retained.
That last part deserves more attention than it usually gets.
Too many organizations treat data retention as an administrative issue.
It is not.
Every unnecessary record you keep becomes another asset an attacker can monetize later.
And in mortgage, the value of that data is unusually high. Government IDs. Financial records. Account details. Personal history. This is not breach data that goes stale quickly. It stays useful.
The lawsuit also claims the data has already been disseminated on the dark web.
So yes, this is now a legal story. A class action. Potential damages above $5 million. Demands for court-ordered security changes. Allegations of negligence, breach of implied contract, and unjust enrichment.
But the legal case is still downstream.
The more important upstream question is this:
Why are so many mortgage companies still relying on security models that leave sensitive identity and borrower data exposed in the first place?
We spend a lot of time talking about compliance after the breach.
Not enough time talking about attack surface before it.
The mortgage industry keeps treating identity security as a box to check:
Do we have MFA?
Do we have policies?
Do we have disclosures ready if something happens?
But attackers are not grading your policy framework.
They are looking for exploitable access, weak controls, over-retained data, and systems that assume credentials are still a safe foundation.
That is the real issue.
Because once attackers get in, the downstream costs stack fast:
- breach response
- legal exposure
- notification costs
- credit monitoring
- reputational damage
- and years of fraud risk for the people whose data was taken
The lesson here is bigger than one lender.
Mortgage companies should be asking themselves three harder questions right now:
- What sensitive data are we holding that we no longer need?
- What identity controls would actually stop modern account compromise, not just satisfy a checklist?
- If we discovered suspicious activity today, how confident are we in our ability to contain it and communicate fast?
New lawsuit.
Same pattern.
Sensitive data retained too long.
Security controls allegedly too weak.
People notified too late.
The industry does not need better breach PR.
It needs fewer credentials, less unnecessary data, and stronger identity architecture.
