Cleveland-based KeyBank, a mortgage lender and servicer with $187 billion in assets, is facing a lawsuit filed in federal court in Ohio stemming from a recent data breach that compromised its customers personal information, including social security numbers.
The litigation, which seeks class-action status, alleges that a KeyBank vendor, Kennesaw, Georgia-based Overby-Seawell Co. (OSC), was the target of cybercriminals this past July who hacked the vendor’s computer systems, resulting in a breach that compromised the mortgage-related personal data of KeyBank customers.
OSC provides property-insurance verification services for KeyBank’s residential mortgage customers. The cyberattack compromised a range of personal information, including KeyBank customers’ names; property addresses and details; mortgage account numbers and information; phone numbers; and the first eight digits of Social Security numbers as well as home-insurance policy numbers and information.
KeyBank, which operates in 15 states, made its customers aware of the breach via a letter dated August 26. The letter indicates the bank was only made aware on August 4 of the July 5 data breach at insurance-services provider OSC.
“OSC is investigating this incident with the assistance of third-party cybersecurity experts,” states the KeyBank letter to customers, which is included as an exhibit in the lawsuit filed in U.S. District Court in Cleveland by the executor of the estate of Aurora Murgu — whose mortgage was “originated and/or serviced” by KeyBank. The pleadings ask the court to grant class-action status to the litigation, arguing that the defendants KeyBank and OSC were negligent in failing to adequately monitor, inspect and control data-security practices.
“[OSC has] deployed enhanced security monitoring tools across their network and notified the Federal Bureau of Investigation (FBI) of this incident,” KeyBank’s letter to its customers affected by the data breach continues. “We encourage you to take advantage of a complimentary two-year membership to Equifax Complete Premier made possible by OSC….”
As an indication of the pervasiveness of major cyberattacks today, it should be noted that Equifax itself was the victim of a past data hack that resulted in litigation and regulatory actions that cost the company hundreds of millions of dollars. Past settlements in data-breach cases involving compromised personal and/or business information include Capital One, $190 million for members of the class, in addition to $80 million to settle claims by regulators; Morgan Stanley, $120 million, including civil penalties paid to regulators; and Equifax, $700 million to settle claims by consumers and regulators.
Figures on the numbers of KeyBank customers affected by the data breach have not been released by the bank. The litigation, however, indicates that the number of affected KeyBank customers is significant enough to merit class-action status for the lawsuit.
“[KeyBank] reported $131 million in consumer mortgage income in its 2021 annual report, suggesting a large number of loans [were] originated and/or serviced by the defendants,” the lawsuit alleges. The litigation also makes clear that the KeyBank customers whose data was compromised “have already been subjected to violations of their privacy and have been exposed to a heightened and imminent risk of fraud and identity theft.”
The lawsuit also notes that the potential number of individuals affected by the breach (the class) exceeds 100 across multiple states and damages exceed $5 million, “exclusive of interest and costs.”
KeyBank released the following statement about the data breach to the media:
“We learned recently that a vendor that supports our home lending business, Overby-Seawell Company, suffered a cybersecurity incident that compromised data of its corporate clients, including personal information associated with KeyBank mortgage clients. This incident does not affect any Key systems or operations. OSC has reported this matter to law enforcement, and we are working to make sure that enhanced measures are in place to protect our data. We take this matter very seriously and have notified all affected individuals.”
The lawsuit demands a jury trial, class-action certification and relief that includes restitution, damages, compensation for reasonable litigation expenses “and other relief as equity and justice may require.”
KeyBank is far from the only mortgage services provider that has been the victim of a cyberattack — which is a growing problem for companies operating in the digital age.
Earlier this year, one of the largest loan-servicing companies in the nation, Lakeview Loan Servicing LLC, was hit with a major cyberattack that compromised the personal data of the mortgage borrowers the company serves. That data breach, revealed by Lakeview in mid-March, targeted the personal information of some 2.5 million borrowers, including their Social Security numbers and also sparked a wave of litigation.
The problem of cybercrime is not going away anytime soon, cybersecurity experts stress. If measured as a country, the cost of cybercrime globally would represent the third-largest nation on earth, behind the U.S. and China, according to Marianne Bailey, a partner at cybersecurity firm Guidehouse and former deputy national manager for national security systems at the National Security Agency, better known as the NSA.
“In 2021 there were predicted damages of $6 trillion in U.S. dollars globally.” Bailey said during a panel discussion on cybercrime at a Mortgage Bankers Association (MBA) convention this past spring in New York.
“Global cybercrime costs are expected to grow by 15% per year over the next five years reaching $10.5 trillion in U.S. dollars annually by 2025,” Bailey added. “We’re in this huge digital ecosystem. We’re becoming more and more digitally connected, with everything that we’re doing in life, and so all that stuff is up for grabs by cybercriminals.”
Bailey said cybercrime is still perpetrated by lone wolves, but increasingly it’s the domain of organized crime and nation-state backed cybercriminals — and she singled out Russia as one of those nation states.
“People don’t realize that there has been a low-level cyber war for decades,” she said. “So, they’re getting into everything. They’re very, very sophisticated.”