The suit claims stolen data landed on the dark web — and no one was notified
Berkadia Commercial Mortgage, the nation's top Freddie Mac lender by volume, is facing a proposed class action over an alleged cyberattack that may have compromised the data of thousands of individuals.
The suit (Todd v. Berkadia Commercial Mortgage LLC, Case No. 1:26-cv-03017) was filed on April 13, 2026, in the Southern District of New York by Rick Todd, a former Senior Manager of Information and Application Security at the company. Todd alleges that on or about March 20, 2026, cybercriminal group ShinyHunters breached Berkadia's systems and made off with an unknown quantity of highly sensitive data belonging to employees and customers alike. The stolen data was allegedly posted on the dark web for sale or ransom following the breach.
Berkadia, headquartered in New York, describes itself as a company that sells, finances, and services commercial real estate, supporting the entire life cycle of its clients' assets. It operates offices across the United States and provides investment sales, mortgage banking, and loan servicing solutions nationwide. In short, it sits at the center of the commercial mortgage world — and now, at the center of a data security controversy.
The data allegedly compromised is extensive: full names, Social Security numbers, dates of birth, addresses, email addresses, driver's license and passport numbers, employment usernames and passwords, employment histories, banking information, sensitive business documents, and tax information. For a company that handles complex commercial mortgage transactions, that kind of exposure raises immediate questions about how client and employee data is being protected across the industry.
The suit also takes aim at Berkadia's cybersecurity infrastructure. It alleges the firm failed to meet the minimum standards of the NIST Cybersecurity Framework and the Center for Internet Security's Critical Security Controls — both described in the filing as existing and applicable industry standards in the financial services industry. It further points to Berkadia's own privacy policy, which states the company maintains a comprehensive information security management system with administrative, technical, and physical safeguards. According to the suit, those protections were not effectively in place when ShinyHunters struck.
What may concern mortgage professionals most is what allegedly did not happen after the breach. The suit claims that as of the filing date — more than three weeks after the incident — Berkadia had not notified affected individuals, had not reported the breach to state attorneys general, and had not offered any identity theft monitoring or protection.
Todd is seeking compensatory damages, reimbursement of out-of-pocket costs, injunctive relief including improvements to Berkadia's data security systems and future annual audits, and not less than ten years of credit monitoring for affected individuals. The amount in controversy exceeds five million dollars.
No determination has been made on the merits. Berkadia has not yet responded to the allegations.
Still, for an industry built on trust and sensitive financial data, the case is a pointed reminder that cybersecurity is no longer just an IT issue — it is a legal and reputational one.
