Filing claims Towne’s weak cyber defenses let intruder copy borrower data
A newly filed class action alleges Towne Mortgage’s data security was so weak it let an intruder copy sensitive borrower information and left customers exposed to ongoing risk.
The case was filed on December 1, 2025, in the U.S. District Court for the Eastern District of Michigan by Florida resident and Towne customer Brian Todd Barnette. He brings the case on behalf of a proposed nationwide class and says his information – and that of at least approximately 2,000 others – was exposed in a June 7, 2025 incident at Towne Mortgage Company.
In the court filing, Towne is described as a full service mortgage lender that states it has extended loans to “2K+” families in 18 states. To obtain those services, the papers say, borrowers were required to provide personal identifying information, including full names, Social Security numbers, financial account numbers, loan numbers and dates of birth. According to Barnette, borrowers did so with the understanding that Towne would keep that information private in line with state and federal law.
The filing recounts how Towne later notified customers of a security issue. In a letter dated around November 13, 2025, Towne reportedly told customers it had identified “unusual activity indicating potential unauthorized access” to its network. The letter explained that, after bringing in external cybersecurity professionals and conducting “extensive forensic investigation and manual document review,” Towne determined on October 14, 2025, that certain personal information “may have been included within the impacted data that may have been copied” from its network as a result of an incident on June 7, 2025.
Barnette goes on to allege that, at the time of the incident, affected information was accessible, unencrypted, unprotected and vulnerable to acquisition and exfiltration. The filing also points to outside reports claiming that the BlackByte threat actor was behind the attack, allegedly disrupting Towne’s operations and demanding a ransom while warning that “the full leak will be published soon, unless a company representative contacts us via the channels provided.”
From there, the case focuses on what Barnette says about Towne’s overall approach to information security. He claims Towne intentionally, willfully, recklessly and/or negligently failed to implement reasonable safeguards, even though it routinely collects what the filing calls “unique and highly sensitive” data. Barnette asserts that, because of the nature of the information it holds, Towne knew or reasonably should have known it needed to follow industry standards and comply with federal and state laws on data security and breach notification.
To frame what “reasonable” security should look like, the court papers cite Federal Trade Commission publications, including “Protecting Personal Information: A Guide for Business” and “Start with Security: A Guide for Business.” They also reference the Center for Internet Security’s Critical Security Controls and CIS Benchmarks. Drawing on those materials, the filing describes widely recommended practices such as encrypting data in transit and at rest, using intrusion detection systems, monitoring for large data transfers, managing access controls, overseeing third-party vendors and limiting how long information is retained.
According to Barnette, Towne fell short of these expectations, and borrowers now face a present and continuing risk of fraud and identity theft, as well as time spent monitoring accounts, dealing with credit freezes and responding to unwanted communications. He seeks monetary damages and wide-ranging court orders that would require Towne to strengthen its information security program. Among the requested measures are independent third-party security audits, enhanced employee training, network segmentation, monitoring of the ingress and egress of network traffic, and deletion or purging of personal information unless Towne can justify keeping it.
The case is brought under the Class Action Fairness Act and alleges more than 100 putative class members, at least approximately 2,000 affected individuals and an amount in controversy exceeding $5,000,000, exclusive of interest and costs. At this stage, the filing reflects only the allegations of Barnette and the proposed class. Towne’s response is not yet reflected in the record, the court has made no findings, and no final decision has been issued.
This case signals that plaintiffs are urging courts to judge mortgage lenders against FTC and industry cyber standards when borrower data gets exposed.
