KeyBank faces potential class-action lawsuit following vendor data breach

Cleveland’s KeyBank and a Georgia insurance services company that it does business with have been accused of negligence following a July data breach that may have compromised personal and loan data for an unknown number of KeyBank’s residential mortgage customers, according to recently filed federal lawsuit.

The corresponding complaint was filed Aug. 30 in US District Court, Northern District of Ohio, by Daniel Bozin. Bozin is described as the executor of the estate of a KeyBank mortgage customer in Westlake potentially impacted by the data breach.

Relief for unspecified damages is sought in the case brought against Key and Overby-Seawell Co. (OSC), a vendor that verifies Key’s residential mortgage customers maintain property insurance.

According to court filings, the lawsuit is proposed as a class action because the incident may involve more than 100 customers and because the “amount in controversy exceeds $5 million.”

According to details in the complaint and a mailer sent to a Key customer listed as an exhibit, an unauthorized third party gained access to OSC’s network on July 5.

OSC informed Key of this on Aug. 4. Key then mailed paper notifications to potentially impacted customers about the breach that were dated Aug. 26.

“On July 5, 2022, criminals breached defendants’ systems, and accessed, and acquired electronic files containing (personal identifiable information) of plaintiff and class members,” according to the complaint. “The criminals gained unauthorized access by thwarting, circumventing, and defeating defendants’ unreasonably deficient data security measures and protocols.”

Specific customer information that may have been collected in the data breach, per court filings, includes: names, mortgage property addresses, mortgage account numbers and information; phone numbers, property information; social security numbers; home insurance policy numbers; and home insurance information.

Key declined to comment on the case or details therein, including how many customer accounts may have been impacted by the data breach. The lawsuit notes that Key reported $131 million in consumer mortgage income in 2021, “suggesting a large number of loan originated and/or serviced by defendants.”

A key spokesperson emphasized that the bank’s own systems and operations were not affected by the incident.

“We learned recently that a vendor that supports our home lending business, Overby-Seawell Co., suffered a cybersecurity incident that compromised data of its corporate clients, including personal information associated with KeyBank mortgage clients,” said Key in an emailed statement. “This incident does not affect any key systems or operations. OSC has reported this matter to law enforcement, and we are working to make sure that enhanced measures are in place to protect our data. We take this matter very seriously and have notified all affected individuals.”

The complaint contends that such “enhanced” security measures put in place in the wake of the breach should’ve been there in the first place.

The mailers sent out by key note that OSC is offering two-years of free identity-theft monitoring services to affected customers, provided by Equifax.

Defendants have not yet filed a response to the case.

Capital One agreed in August to a $190 million settlement — with potential payouts to impacted customers totaling as much as $25,000 — for a 2019 data breach that may have impacted an estimated 106 million people. That incident seemed to involve the company’s own systems and not that of a vendor it was working with, which is the situation facing Key.

Comments are closed.