Union Home Mortgage data breach: Lessons and hardening checklist for CISOs
When hackers steal your customer or employee data, the ripple effect is profound and lasting for them. It's also expensive for you. A class action lawsuit filed this week in the Northern District of Ohio against Union Home Mortgage is a reminder that cybersecurity standards are not theoretical checkboxes. They can be the difference between containing an intrusion and incurring catastrophic losses.
Confirmed facts from UHM’s notice
Union Home Mortgage Corporation (UHM) reported that files containing personal information were accessible to an unauthorized party in 2025. In September 2025, UHM notified regulators and affected individuals. State postings and UHM’s own notice materials confirm exposure of names, Social Security numbers, driver’s license or state ID numbers, full dates of birth, passport numbers, and financial and banking information. Public counts include 1,650 affected Washington residents, 24,160 Texans, and a small number of Massachusetts residents. These items are facts taken from government postings or UHM’s notices.
Allegations in the class action
A putative class action followed. The complaint alleges that UHM failed to use reasonable safeguards such as strong encryption, network segmentation, timely patching, continuous monitoring, and prompt notice, and that public assurances of industry-recognized safeguards did not match reality. These specifics are allegations unless proven or admitted. The confirmed data categories and victim counts asserted by attorneys general above can be treated as facts.
Why reasonable security safeguards matter for CISOs
Reasonable security in practice maps to NIST CSF 2.0, CIS Critical Security Controls, and the GLBA Safeguards Rule. Encryption of persistent identifiers, multi-factor authentication on systems with customer data, network segmentation to limit lateral movement, timely patching, continuous monitoring with alerting, data minimization and purging, vendor governance, tabletop exercises, and independent testing are the baseline. If these are weak or inconsistent, one intrusion can become a long-lasting liability for customers and the business.
