Bayview Asset Management and three subsidiaries have agreed to pay a $20 million fine and implement a corrective plan following a 2021 data breach that affected 5.8 million customers.
The settlement, announced Wednesday by the Conference of State Bank Supervisors, involves 53 state financial regulatory agencies. It includes Bayview and three of its affiliates, Lakeview Loan Servicing, Community Loan Servicing and Pingora Holdings.
Lakeview was the third-largest U.S. mortgage servicer as of September 2024, with an owned portfolio of $728 billion, per Inside Mortgage Finance.
State regulators mentioned that company implemented “deficient cybersecurity practices” and did “not fully cooperate” following the data breach in 2021.
A representative at Bayview did not immediately reply to HousingWire’s request for comment. The companies neither admit nor deny any wrongdoing by signing the consent order, the document shows.
The case originated in October 2021, when a Bayview Asset Management employee unknowingly downloaded malicious software while conducting job-related internet searches, according to the settlement agreement.
Criminal actors exploited the breach, installing malware and extracting sensitive data, including personally identifiable information, from the company’s network.
Bayview and its affiliates responded by notifying affected consumers, offering support services, and providing free credit and identity theft monitoring.
While the companies informed various state and federal regulators and counterparties about the breach, they failed to meet the notification requirements of all state mortgage regulators in a timely manner, the settlement agreement states.
State agencies in California, Maryland, North Carolina, and Washington led the multistate investigation. They concluded that Bayview and its affiliates delayed the regulatory process by not promptly complying with requests during the early stages of the inquiry.
The settlement requires Bayview to take corrective actions, including enhancing its cybersecurity programs, undergoing independent assessments and submitting three years of detailed reports to state regulators.
The 2021 data breach also sparked civil lawsuits against Bayview and its affiliates. The incident highlights the rising number of cyberattacks impacting the mortgage industry, with other recent cases involving companies such as Mr. Cooper Group, First American, Fidelity National Financial and Fairway Independent Mortgage Corp.
