-
A former senior security manager sued Berkadia, alleging a March 2026 breach by ShinyHunters exposed Social Security numbers, bank info, and tax data.
-
The lawsuit alleges that Berkadia neglected NIST guidelines as well as its own privacy policies. And waited more than three weeks before notifying the impacted customers.
-
The plaintiff is seeking more than $5 million in damages, ten years of credit monitoring. He also demands a court order mandating Berkadia to implement security improvements.
A major commercial mortgage lender, Berkadia, just got hit with a proposed class action lawsuit over a cyberattack.
The suit claims hackers stole thousands of sensitive data and Berkadia didn’t notify the victims for weeks. It also alleges that the company failed to meet minimum cybersecurity standards as provided by the NIST.
Lawsuit by an Insider
Rick Todd knows Berkadia’s security firsthand. He used to be its Senior Manager of Information and Application Security. On April 13, he sued the company in the New York Southern District Court.
The complaint paints a pretty disturbing picture. A notorious gang of cyber crooks called Shinyhunters supposedly broke into Berkadia’s system sometime around March 20. The hackers made off with an undisclosed amount of personal data – the kind of information you’d rather keep private.
What kind of personal info did they expose? Full names. Social Security numbers. And even birthdays. Addresses, email addresses, driver’s licenses, and passport numbers leaked as well.
Then throw in employment usernames and passwords, work histories, banking details, sensitive business documents, and tax information. That’s a goldmine for identity thieves. And the suit says all of it landed on the dark web for sale or ransom.
Was the Breach Due to a Security Breakdown?
Berkadia calls itself a top Freddie Mac lender. It sells, finances, and services commercial real estate nationwide. But the lawsuit argues its security didn’t match its status.
The filing points to two well-known benchmarks. The NIST Cybersecurity Framework and the Center for Internet Security’s Critical Controls. According to the suit, Berkadia failed to meet those basic industry standards.
Even more striking? The company’s own privacy policy promises a “comprehensive information security management system” with administrative, technical, and physical safeguards. The lawsuit claims those protections were not effectively in place when ShinyHunters struck.
Security failures are not limited to private companies, a hacker recently pleaded guilty to breaching the U.S. Supreme Court, proving that even institutions with the highest security protocols can be vulnerable to determined cybercriminals.
Berkadia Stayed Silent for Weeks
Sadly, the breach allegedly happened on March 20. But, as of the filing date on April 13, Berkadia had still not told a single affected person.
According to the suit, the company not only kept customers in the dark, but they also failed to inform state Attorneys General about the breach. And it offered no identity theft monitoring or protection. That’s more than three weeks of silence.
The Plaintiff’s Demands
Todd’s demands are clear, he’s suing for all the pain and expense he’s suffered as a result. He wants compensatory damages for everyone affected by the data breach and that the company pays back all out-of-pocket expenses.
Further, Todd is requesting injunctive relief from the court. That means a court order forcing Berkadia to upgrade its data security systems. Plus, he wants future annual audits to make sure the fixes stick.
And for the people whose data got exposed? Todd wants no less than ten years of credit monitoring for each one. The total amount being contested is over five million dollars.
To be clear, no judge has actually made a ruling on any of it yet. Berkadia hasn’t filed a response. But for an industry built on trust and massive financial deals, this case sends a loud message. Cybersecurity is now a legal and reputation bomb, not just an IT headache.
