Berkadia Faces Lawsuit Over Massive Data Breach Linked to ShinyHunters
A proposed class-action lawsuit has been filed against commercial mortgage servicer Berkadia, alleging the company suffered a major data breach that exposed highly sensitive personal and financial information. The breach, attributed to the cybercriminal group ShinyHunters, reportedly compromised a vast trove of data, including:
- Full names, Social Security numbers, and dates of birth
- Home addresses and email addresses
- Driver’s license and passport numbers
- Employment credentials, work histories, and banking details
- Sensitive business documents and tax information
The lawsuit claims Berkadia’s cybersecurity measures fell short of industry standards, violating both the NIST Cybersecurity Framework and the Center for Internet Security’s Critical Security Controls benchmarks cited as mandatory for financial services firms. Additionally, the complaint highlights discrepancies between Berkadia’s stated privacy policy, which promises robust safeguards, and the alleged lack of effective protections at the time of the breach.
Of particular concern is the company’s delayed response. More than three weeks after the incident, the suit alleges Berkadia had not notified affected individuals, reported the breach to state attorneys general, or provided identity theft monitoring.
The plaintiff, Todd, is seeking compensatory damages, reimbursement for out-of-pocket costs, injunctive relief (including mandatory security upgrades and annual audits), and at least 10 years of credit monitoring for impacted parties. The lawsuit estimates damages exceeding $5 million. No ruling has been issued, and Berkadia has yet to respond to the allegations.
Berkadia cybersecurity rating report: https://www.rankiteo.com/company/berkadia
"id": "BER1776292480",
"linkid": "berkadia",
"type": "Breach",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Financial Services',
'name': 'Berkadia',
'type': 'Commercial Mortgage Servicer'}],
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Full names',
'Social Security numbers',
'Dates of birth',
'Home addresses',
'Email addresses',
'Driver’s license numbers',
'Passport numbers',
'Employment credentials',
'Work histories',
'Banking details',
'Sensitive business documents',
'Tax information']},
'description': 'A proposed class-action lawsuit has been filed against '
'commercial mortgage servicer Berkadia, alleging the company '
'suffered a major data breach that exposed highly sensitive '
'personal and financial information. The breach, attributed to '
'the cybercriminal group ShinyHunters, reportedly compromised '
'a vast trove of data, including full names, Social Security '
'numbers, dates of birth, home addresses, email addresses, '
'driver’s license and passport numbers, employment '
'credentials, work histories, banking details, sensitive '
'business documents, and tax information. The lawsuit claims '
'Berkadia’s cybersecurity measures fell short of industry '
'standards, violating both the NIST Cybersecurity Framework '
'and the Center for Internet Security’s Critical Security '
'Controls benchmarks. The plaintiff is seeking compensatory '
'damages, reimbursement for out-of-pocket costs, injunctive '
'relief, and at least 10 years of credit monitoring for '
'impacted parties.',
'impact': {'data_compromised': 'Highly sensitive personal and financial '
'information',
'financial_loss': '> $5 million (estimated damages)',
'identity_theft_risk': 'High (exposure of SSNs, driver’s licenses, '
'passports, etc.)',
'legal_liabilities': 'Lawsuit filed, potential fines for '
'regulatory violations',
'payment_information_risk': 'High (exposure of banking details)'},
'post_incident_analysis': {'root_causes': 'Alleged failure to meet industry '
'cybersecurity standards (NIST, CIS '
'Controls)'},
'references': [{'source': 'Class-action lawsuit filing'}],
'regulatory_compliance': {'legal_actions': 'Class-action lawsuit filed',
'regulations_violated': ['NIST Cybersecurity '
'Framework',
'Center for Internet '
'Security’s Critical '
'Security Controls'],
'regulatory_notifications': 'Not reported to state '
'attorneys general '
'(allegedly delayed)'},
'response': {'communication_strategy': 'Delayed (allegedly not notified '
'affected individuals or state '
'attorneys general for over three '
'weeks)'},
'threat_actor': 'ShinyHunters',
'title': 'Berkadia Faces Lawsuit Over Massive Data Breach Linked to '
'ShinyHunters',
'type': 'Data Breach'}