Figure Lending LLC, the nation’s largest non-bank provider of home equity lines of credit (HELOCs), failed to prevent a catastrophic data breach that exposed the sensitive personal information of thousands of homeowners to the notorious cybercriminal group ShinyHunters, according to a class action complaint filed in North Carolina federal court. The breach, which the company admitted originated from a “social engineering attack” that tricked an employee, highlights a systemic failure to implement basic cybersecurity safeguards despite collecting a trove of financial and personal identifiers from customers seeking loans.

The lawsuit, brought by California homeowner George Mardikian, alleges that Figure Lending’s inadequate security protocols allowed hackers to maintain unrestricted access to its network for an unknown period before the breach was discovered on or around February 14, 2026. The complaint argues that the fintech lender, which markets itself as a blockchain-based transformer of capital markets, prioritized growth and cost-saving over the fundamental duty to protect the non-public personal information (NPI) of its customers.

The Human Weak Link: A Social Engineering Attack

Unlike a sophisticated zero-day exploit targeting complex blockchain infrastructure, the breach at Figure Lending reportedly succeeded due to a much simpler and more preventable cause: human error manipulated by deception. The company disclosed that “the breach originated when an employee was tricked with a social engineering attack that allowed the hackers to steal ‘a limited number of files.'” This admission underscores a failure in corporate training and email security filtering, basic components of the FTC Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA), which the company is legally required to follow as a financial institution.

The exposed data included customers’ full names, home addresses, dates of birth, and phone numbers. While Figure Lending has attempted to downplay the scope by calling it a “limited number of files,” the hacking group ShinyHunters took responsibility on its dark web leak site and published 2.5 gigabytes of allegedly stolen data. TechCrunch, which reviewed a portion of the data, confirmed the validity of the exposed customer records.

Failure to Meet Regulatory Standards

The complaint details a pattern of alleged corporate misconduct regarding compliance with established financial privacy laws. As a financial institution subject to the GLBA, Figure Lending is mandated to develop a comprehensive written information security program. Yet, the plaintiffs allege the company failed to identify reasonably foreseeable internal and external risks, failed to regularly test safeguards, and failed to ensure its service providers maintained adequate security. Furthermore, the lawsuit claims Figure Lending violated California’s strict data breach notification statute (Cal. Civ. Code § 1798.82) by failing to notify affected customers “within 30 calendar days of discovery.”

Despite collecting PII for thousands of HELOC customers, the company’s Privacy Policy promise to use “reasonable precautions, including technical and administrative measures” rings hollow in light of the breach. The complaint asserts that the company did not follow industry standards such as the NIST Cybersecurity Framework or the Center for Internet Security’s Critical Security Controls.

The ShinyHunters Connection and the Dark Web Fallout

The involvement of ShinyHunters elevates the severity of this incident from a simple leak to a high-stakes extortion event. The FBI has previously issued FLASH alerts regarding this group (tracked as UNC6040 and UNC6395), warning that they target corporate platforms and demand cryptocurrency payments to avoid public data dumps. Figure Lending’s alleged refusal to pay the ransom has resulted in the data being published on the dark web, a marketplace where criminals aggregate “Fullz” packages, comprehensive identity dossiers that combine stolen data with publicly available information to enable seamless fraud.

For customers like George Mardikian, the injury is ongoing. The complaint details a spike in spam and scam text messages and phone calls following the breach, a common precursor to more targeted identity theft attempts. The plaintiff alleges a diminution in the value of his personal identifiable information and the ongoing emotional toll of hypervigilance against financial fraud.

Corporate Accountability Beyond Credit Monitoring

While Figure Lending has offered affected individuals free credit monitoring, the lawsuit contends this is a wholly insufficient remedy for the lifetime exposure of static identifiers like names and dates of birth. The corporate accountability angle focuses on the disparity between the company’s profits derived from leveraging customer data and the alleged minimal investment in safeguarding that same data.

The litigation seeks to compel Figure Lending to implement and maintain reasonable security measures, disgorge profits saved by skimping on cybersecurity, and provide actual compensation for the time and money customers must now spend to protect themselves from the fallout of corporate negligence.

Consumer Impact and Long-Term Risk

The data compromised in this breach is particularly dangerous because it cannot be easily changed. Unlike a credit card number, a person’s name, address, and date of birth are permanent fixtures of their identity. When combined with additional data points easily found via public records or previous breaches, this information forms the skeleton key needed for new account fraud, loan stacking, and medical identity theft. The lawsuit notes that victims of data theft often face years of monitoring their credit reports and may not discover the misuse of their identity until months or years later when debt collectors come calling.

The case, Mardikian v. Figure Lending LLC (No. 3:26-cv-00135), highlights the increasing tension between financial technology innovation and the rudimentary security practices that often accompany rapid scaling in the neoliberal financial sector. It serves as a stark warning that blockchain branding does not equate to blockchain security when a single employee clicking a malicious link can expose the financial lives of thousands of American homeowners.