In December 2022, mortgage servicing company LoanCare revealed that over 1.3 million customers may have had their personal information compromised in a data breach. This revelation has led many affected customers to question if the breach notice is a scam or if it’s legit.
In this in-depth article, I’ll cover everything you need to know about the LoanCare data breach, including:
[ez-toc]
Let’s start by looking at some key background on LoanCare and how the breach happened.
Overview of LoanCare and the Data Breach
LoanCare is a mortgage servicing company based in Virginia Beach, Virginia. They are a subsidiary of Fidelity National Financial (FNF), which is one of the largest title insurance providers in the US.
LoanCare offers services like mortgage subservicing and backup servicing to banks, credit unions, mortgage lenders and other clients. They service around $390 billion in loan balances from over 1.2 million mortgage loans.
Here are some of the core facts on the data breach, based on LoanCare’s filing with the State of Maine and the breach notice letters sent to impacted customers:
- Breach timeframe: Occurred on November 19th, 2023 but wasn’t discovered until December 13th
- Type of breach: A cyberattack on Fidelity National Financial’s systems
- Number of impacted customers: 1,316,938 LoanCare borrowers
- Types of data exposed: Names, addresses, Social Security Numbers, and loan account numbers
So in a nutshell – hackers breached Fidelity National’s systems back in November and stole data belonging to over 1 million LoanCare customers.
While LoanCare first became aware of the incident around November 19th, they launched an investigation with forensic experts before determining that customer information had indeed been stolen. Hence why affected individuals only received notification letters in mid-December explaining the breach.
How LoanCare Customers Are Reacting to the Breach Notice
Understandably, LoanCare customers whose personal and financial data was exposed have reacted with a mix of anger, confusion, and anxiety around this revelation.
Some key themes that have emerged among borrowers who received the data breach letter:
Anger and Frustration
Many LoanCare borrowers are feeling outraged that their highly sensitive information was taken by hackers without their permission or knowledge for over a month.
They’re frustrated by the lack of cybersecurity protections that allowed this major breach to take place. And that LoanCare took weeks to discover the stolen customer data and inform those affected, despite being aware of the initial attack back in November.
Confusion Over Whether This is a Scam
Initially, some customers who received a letter were suspicious that this notice could be a scam attempt itself:
The letter asks recipients to enroll in credit monitoring services that require handing over more personal information and SSN verification.
So understandably, some worried this breach alert could actually be a fraudster posing as LoanCare to steal identities. I’ll cover more shortly on why this situation turned out to be legitimate.
Anxiety Over Identity Theft and Fraud
Considering such sensitive data as full names, home addresses, SSNs and loan numbers were compromised, LoanCare customers are feeling extremely anxious about identity theft.
They worry that hackers may sell or misuse this information to:
- Take out loans or credit cards in their name
- Gain access to their bank and retirement accounts
- File fraudulent tax returns to steal refunds
- Use their health insurance and medical ID
- Commit other types of fraud and financial theft
So while LoanCare itself isn’t likely a scam, affected individuals now face a hugely increased risk of different fraud scams targeting them using this stolen data.
Seeking Legal Options
Given the scale of sensitive information exposed – and LoanCare’s delayed response time – many customers are exploring legal avenues to hold the company accountable.
Some of the legal questions borrowers are asking include:
- Can I join a LoanCare data breach class action lawsuit?
- What are my grounds for suing LoanCare over this incident?
- Am I entitled to any data breach compensation?
I’ll cover later in this piece what legal routes like class action lawsuits may be possible for affected borrowers to pursue compensation.
First, let’s look at reasons why the LoanCare breach does legitimately appear to be a real incident.
Factors Pointing to a Legitimate LoanCare Data Breach
Although some LoanCare customers initially worried this notice could be an identity theft scam, several key factors confirm that this situation is legitimate:
1. Filed Data Breach Notice with State Authorities
LoanCare submitted an official data breach notification letter to the Attorney General’s office of the State of Maine on December 20th, 2022.
This public filing has details matching the breach alerts sent to customers, confirming a cyberattack took place leading to stolen personal information.
State AG offices provide oversight and enforcement around data breach disclosures, laws and regulations. So this helps confirm the legitimacy.
2. Parent Company FNF Reported a Cyber Attack
Back in late November 2022, Fidelity National Financial disclosed in an SEC filing that they experienced a cybersecurity incident.
While originally vague on impacts, this aligns with LoanCare’s timeline around detecting unauthorized activity within FNF’s systems on November 19 which later impacted their customer data.
Public companies like FNF have strict disclosure laws around cyberattacks and data breaches, providing further credence.
3. Notification Letters to All Affected Customers
Instead of a broad public announcement, LoanCare sent direct-mail notification letters in mid-December to each of the 1.3+ million customers whose personal data was compromised.
These letters contained accurate customer names/addresses and details matching individuals’ actual LoanCare loan accounts.
Scammers would not feasibly have access to this level of legitimate customer data across so many impacted users.
So given LoanCare’s public disclosure, the linkage to FNF’s confirmed attack, and personalized letters to all involved borrowers – this data breach appears entirely valid vs any kind of identity fraud shams.
Why Some Initially Worried of a Data Breach Scam
Despite the above verification factors, some cautious LoanCare customers still had initial concerns over whether this notice was 100% legitimate vs a potential scam attempt.
There are a few reasons why borrowers may have worried this breach alert could be fraudulent or suspicious:
Data Breaches Commonly Used as Phishing Lures
Firstly, fake data breach alerts are a very common phishing tactic used to harvest people’s information and money.
Scammers know consumers are now well-accustomed to receiving notifications that their data was compromised.
So fraudsters exploit this familiarity to craft fake bank, provider and employer “breach notices” advising customers to urgently verify account details to “secure their data” which ultimately hands everything over to criminals.
When people receive ANY unexpected security alerts like this, extra precaution is well-warranted.
Letter Asks for More Sensitive Information
What initially gave some LoanCare customers further pause is that the breach notification letter asks recipients to provide additional ultra-sensitive information.
Specifically, to enroll in the “complimentary” 2-year credit monitoring service being offered, the letter requests users’:
- Full name
- Contact information
- Social Security number
- Date of birth
At first glance, these data points could align conveniently with everything identity thieves need to open fraudulent accounts.
So the somewhat suspicious invitation for further sensitive info does mirror common social engineering bait used by scammers posing as legitimate companies.
No Immediate Outbound Contact from LoanCare
Finally, some cautious borrowers expected LoanCare itself would proactively call or email users about such a massive data breach.
Yet at first there was zero outbound contact to validate this notice before physical letters started arriving. So no immediate reassurance around the legitimacy for concerned clients.
With scammers growing increasingly sophisticated – even able to spoof legitimate business phone numbers and email addresses – the lack of confirmation channels caused some initial doubt.
Nonetheless, as covered earlier the preponderance of evidence makes clear that unfortunately this major LoanCare data breach situation is fully authentic.
Now let’s go over the critical actions customers can take, whether this incident seems scammy or legit.
What to Do If You Received the LoanCare Breach Notice
If you’re a LoanCare customer whose data was compromised in this breach, here are the key steps to take now to protect your identity, accounts, and sensitive information:
1. Enroll in The Free Credit Monitoring
While ironic given initial concerns over handing over more data, the 2 years of credit monitoring is absolutely vital to enroll in.
This will alert you to any new accounts or loan inquiries made in your name, signaling potential fraudulent activity based on the stolen data.
Yes, it does require handing over additional info like full SSN to confirm identity.
But in this case, the criminals already have your SSN…so take full advantage of the monitoring service to be on watch for how it could be misused.
2. Enable Fraud Alerts with Credit Bureaus
Separately from the monitoring service, placing 1-year fraud alerts with Equifax, TransUnion and Experian will provide an extra layer of protection.
This asks creditors to take extra verification steps before approving any new credit in your name. So it can stop identity thieves that the monitoring might miss.
And fraud alerts don’t require handing over as much sensitive data upfront vs the full monitoring enrollment.
3. Reset All Account Passwords and Security Questions
Another crucial step is to reset ALL passwords, PINs and security questions for every single financial account you have connected to the compromised info. This includes:
- Bank, insurance, investment accounts
- Retirement accounts
- Tax preparation accounts
- Mortgages, loans, credit cards
- Healthcare portals
- Anything else tied to your SSN
This protects against criminals using previously stolen info to access these existing accounts. Use extra complex new passwords and security question answers.
4. Carefully Review Any Communications Claiming Further LoanCare Contacts
Criminals may still attempt to exploit this breach by posing as LoanCare in follow-up calls, emails and texts to affected borrowers.
Any surprise contacts claiming additional account validation requirements due to fraud risks could be thieves phishing for more data.
Carefully confirm legitimacy before sharing ANY sensitive personal or financial information.
5. Explore Compensation Options
Affected customers have begun investigating their options around data breach compensation, including:
Joining a class action lawsuit – Large-scale lawsuits are already being organized alleging LoanCare failed to sufficiently protect consumer data. These aim to recover damages for those impacted.
Individual legal claims – You may have grounds to sue independently over harm caused by the breach around factors like identity theft or fraudulent accounts opened in your name afterwards using the stolen data.
Submitting complaints – Filing complaints through entities like state attorneys general, Consumer Financial Protection Bureau, and the AARP Fraud Watch Network brings added scrutiny towards ensuring LoanCare enhances security and makes customers whole.
I’ll cover the ins and outs of data breach compensation and legal routes in more detail shortly.
But first, let’s recap some quick answers around the main question behind this whole situation – is the LoanCare breach notice legit or a potential scam?
LoanCare Breach Verdict: Legitimate, Not a Scam
To conclude this full run-down based on current information:
The LoanCare data breach situation and notification letters sent to over 1.3 million affected individuals do unfortunately appear to be 100% legitimate
Evidence like LoanCare’s breach notice filing with the State AG, the timing align with parent company FNF’s confirmed cyberattack, highly detailed and personalized customer letters, and enrollment in reputable credit monitoring services provided by Kroll strongly support this breach actually taking place vs being any kind of identity fraud ruse.
So if you received one of these notifications with your accurate name, address, SSN and active LoanCare loan account listed – it does mean your data has been compromised necessitating urgent protective steps.
However, criminals WILL very likely launch a wave of phishing scams claiming to be further communications related to this breach
Thieves know millions of LoanCare customers are hyper-alert around identity theft risks due to the sensitive data now exposed.
Expect a surge in sophisticated fake calls, emails and texts posing as LoanCare or affiliates. Their goal is tricking victims into handing over more money and account access.
It may not be the initial breach notice that was fake – but subsequent scams hoping to further exploit concerned borrowers probably will start flooding in.
So while unfortunately legitimate, guard yourself from the inevitable trail of new scams seeking to abuse this incident at customers’ expense!
Now let’s get into the questions many affected LoanCare borrowers have around legal options, compensation rights, class action lawsuits, damages recovery and more.
Frequently Asked Questions on LoanCare Breach Legal Options
For customers who more narrowly avoided potential significant harm like fraudulent accounts or stolen funds – receiving free credit monitoring may be adequate.
But considering such sensitive data has been compromised for each of over 1+ million LoanCare borrowers without permission – many are reasonably seeking routes toward compensation for damages. Especially given the month-long delay notifying individuals after information was accessed.
If you’ve received a LoanCare breach letter and are wondering what potential legal options exist, here are some common questions and answers:
Can I Join a LoanCare Data Breach Class Action Lawsuit?
Yes, LoanCare customers affected by this incident can join class action lawsuits. Several investigations are already underway by major consumer protection law firms.
They allege customers suffered damages through LoanCare’s failure to properly notify and safeguard sensitive information, declining property values from the breach, and emotional distress.
These class actions aim to recover compensation for victims on a mass scale by combining all claims into one larger collective lawsuit versus individuals needing to file separately.
Typical outcomes could be average payments in the thousands of dollars per affected customer, credit monitoring services, credit repair, reimbursement of related expenses like fraud losses or frozen credit reports, and further security commitments from LoanCare.
Some key class actions in progress include:
- Climaco, Wilcox, Peca, Tarantino & Garofoli LPA
- Berger Montague
- Criden & Love, P.A.
To join, you can inquire with these class action investigation firms whether you may be eligible to enroll as part of their lawsuit based on your LoanCare account info details.
Most will have free case reviews and take the matter on a contingency basis requiring no upfront payments or fees from consumers.
Can I Sue LoanCare Independently for the Data Breach?
You may be able to pursue individual legal action against LoanCare in addition to or separate from class proceedings. Potential grounds could include:
✔️ Negligence – Failure to adequately protect your data with sufficient cybersecurity protocols despite reasonably foreseeable hacking threats
✔️ Invasion of privacy – Disclosure of your sensitive personal and financial data to criminals without consent
✔️ Breach of contract – Violating LoanCare’s own privacy policies around safeguarding customer information
✔️ Violations of state data breach notification statutes – Not informing affected individuals in a timely manner in accordance with legal data privacy and disclosure laws
✔️ Emotional distress – Severe enough anxiety, stress or harm from worry over potential fraud risk to health and well-being
If trying to sue LoanCare independently outside of class options, be advised it can be an uphill legal battle as an individual claimant. But grounds may exist in state laws or through violations of specific clauses in your customer account agreements with LoanCare.
An experienced data privacy attorney can best assess if individual legal action against LoanCare for damages beyond just credit monitoring reimbursement is feasible based on your unique breach impacts.
Am I Entitled to Financial Compensation Due to the LoanCare Breach?
Potentially – if actual theft, fraud or other quantifiable harm took place involving your accounts or identity due to this incident. Compensation eligibility cases could include instances like:
- New credit card or loan accounts opened in your name using the compromised information
- Unauthorized wire transfers sent from your bank account(s) using the stolen data
- Tax refund fraud occurring through fraudulent returns filed with your Social Security number
- Medical ID theft found where someone seeks treatment pretending to be you based on your SSN/name obtained from LoanCare systems
- Out-of-pocket costs related to credit freezes, protection services, or recovering from fraud
- Missed work and lost income time dealing with breach-related issues
For class action participants where harm thresholds have not necessarily been met for all individuals, compensation may appear more in the form of credit monitoring services, credit repair, reimbursement of breach-related expenses, and further security upgrades by LoanCare.
But for victims with more quantifiable ID theft and provable fraud damages – you could receive direct settlement payments if legal action is undertaken and succeeds.
An attorney can guide you on the viability and process of seeking reimbursement if this data exposure resulted in significant personal financial loss.
Explore Legal Options Carefully, But Don’t Wait Too Long!
In summary – all LoanCare borrowers affected should be actively exploring their rights around compensation and potential legal avenues, including through:
✔️ Reviewing class action lawsuit opportunities as they become available in the coming months
✔️ Consulting with attorneys to determine if individual legal claims against LoanCare for negligence or privacy violations could be warranted
✔️ Staying on top of new announcements related to the breach from state attorneys general or the Consumer Financial Protection Bureau regarding potential settlements or restitution down the line
✔️ Documenting meticulously any signs of fraud or identity theft that seem directly related to your information stolen through this breach, as proof can strengthen claims
✔️ Being aware of legal time limits – cases must generally be filed within 1-2 years from the discovery of damages happening, so don’t wait too long
The downside with a breach this massive impacting over 1 million people is that obtaining individual financial relief can still be an uphill path.
Wrapping Up
Class actions may cap out at relatively small average payments stretched across everyone involved. Proving your own distinct fraud harms beyond credit monitoring needs for settlement purposes gets harder the more simultaneous victims there are. And time, legal cost and effort inhibitions remain challenging for ordinary individuals even in a valid case.
Yet legal teams behind class actions will generally front all upfront legal costs, only collecting if and when settlements are actually won. So participating in collective proceedings poses little risk or barriers to consumers.
Similarly for individual claims – reputable consumer protection firms frequently offer free consultations and case evaluations. And often represent clients on a contingency basis, taking attorney fees only from settlement amounts vs requiring retainers upfront.
So in a case like this where clearly negligence and legal violations enabled such mass data exposure – it’s in your best interest to actively pursue what compensation rights may exist through different legal channels now coming together.
Minimum steps of enrolling in credit monitoring and placing fraud alerts are vital identity theft precautions regardless. But failure to make LoanCare also pay accountability through consumer protections laws, contract breaches and fiduciary violations only invites future similar disregard for customers’ data security.
Stay vigilant on all emerging case updates and settlement opportunities in this situation. With savvy legal advocates on your side, significant recoveries forcing enhanced security changes remain quite feasible over time even after such a frustrating identity theft debacle mishandled by LoanCare and Fidelity National.
Also Read: