The Non-Financial Ledger: What a Stolen Address Actually Costs You

George Mardikian did everything right. He was careful about where his personal information went online. He secured documents containing his data. When he took out a home equity line of credit with Figure Lending, he did what millions of Americans do every day when they engage with a financial institution: he handed over the most sensitive details of his life and trusted the company to treat those details like they mattered.

His full name. His home address. His date of birth. His phone number. These are the four coordinates of a person’s life. They are how debt collectors find you, how creditors verify you, how landlords screen you, how scammers target you. Together, they are enough for a criminal to build a convincing fake version of you and begin dismantling your financial life from the inside.

After February 14, 2026, all of that information belonged to ShinyHunters.

Since the breach, Mardikian has been hit with a surge in spam calls and scam text messages. He has started spending significant time monitoring his accounts, watching for the first signs of fraud. He lies awake worrying. He cannot unknow what he knows: that somewhere on a dark web server, his personal data is sitting in a 2.5-gigabyte file that a hacking group published for the world’s criminal marketplace to download and use.

That anxiety is not abstract. That is not a legal argument dressed up as an emotion. That is the specific, documented feeling of knowing your identity has been permanently compromised and that you will spend the next several years, possibly longer, waiting for the other shoe to drop. Victims of identity theft often do not find out their information was weaponized until debt collection calls start arriving, sometimes three years after the theft. Tax fraud surfaces only when a legitimate return gets rejected. A fraudulent loan opened in your name shows up on a credit report you probably check once a year. The damage is slow, grinding, and deeply personal.

The lawsuit describes Mardikian’s injuries as including anxiety, sleep disruption, stress, fear, and frustration. That reads like boilerplate. It is not. It is a precise accounting of what it feels like to know that a company you paid, a company that promised to protect you, chose to skip the parts of cybersecurity that cost money. Every spam call is a reminder. Every suspicious email is a reminder. Every time he opens his bank app, he is reminded that his privacy was a line item that Figure decided to trim.

He trusted them. They took that trust and they underinvested in it. And now he will spend years paying, in time, attention, and worry, for a decision he had no part in making.

That is the non-financial ledger. There is no dollar figure assigned to it in this complaint. There probably should be.

The Breach: What Happened, What Was Stolen, Who Did It

On or about February 14, 2026, Figure Lending’s systems were compromised through a social engineering attack. Within days, the data was on the dark web and close to one million customers were exposed.

• The attack method: Hackers used social engineering to trick a Figure employee, gaining access to internal files. Social engineering exploits human behavior rather than technical vulnerabilities; it is one of the most preventable attack vectors in cybersecurity because it is defeated by employee training and internal access controls.
• What was stolen: Customer full names, home addresses, dates of birth, and phone numbers. These four data points, combined with other information freely available online, are sufficient to build comprehensive criminal dossiers called “Fullz” packages, which sell on the dark web for up to $100 per record or more.
• Scale of exposure: TechCrunch reported the breach affected close to one million customers. Figure initially described “a limited number of files,” language the lawsuit characterizes as inadequate to address the full scope of harm.
• ShinyHunters published the data: After Figure refused to pay a ransom, ShinyHunters posted 2.5 gigabytes of allegedly stolen customer data to its official dark web leak website. The data was independently verified by TechCrunch, which confirmed it contained the data types described above.
• The FBI had already warned the public: The FBI issued a FLASH alert specifically identifying ShinyHunters and related groups (UNC6040 and UNC6395) as responsible for “a rising number of data theft and extortion intrusions,” noting they target organizations’ Salesforce platforms and demand cryptocurrency ransoms. That warning was publicly available before this breach.
• Figure’s response: The company offered free credit monitoring “to all individuals who receive a notice.” The lawsuit argues this response is wholly insufficient: credit monitoring does not compensate victims for injuries already suffered, does not prevent further use of already-published data, and was offered only to those who received a notice, while the broader class was kept uninformed.

“The exposure of one’s PII to cybercriminals is a bell that cannot be unrung. Before this data breach, its customers’ private information was exactly that — private. Not anymore.”

Legal Receipts: What Figure Said vs. What They Did

The following are verbatim statements from Figure’s own Privacy Policy and from the court filing, as well as direct quotes from the FBI’s FLASH alert. These are the words that will follow Figure Lending into the courtroom.

“We use reasonable precautions, including technical and administrative measures, to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction.” Source: Figure Lending Privacy Policy, cited in Complaint ¶17(a)

“The breach originated when an employee was tricked with a social engineering attack that allowed the hackers to steal ‘a limited number of files.'” Source: Figure’s admission, quoted in Complaint ¶19, via TechCrunch, February 13, 2026

“Some UNC6040 victims have subsequently received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data. These extortion demands have varied in time following UNC6040 threat actors’ access and data exfiltration, ranging from a period of days to months.” Source: FBI FLASH Alert, Cyber Criminal Groups UNC6040 and UNC6395, cited in Complaint ¶31(d)

“In almost all cases, the data breaches that occurred could have been prevented by proper planning and the correct design and implementation of appropriate security solutions.” Source: American Bar Association, Data Breach and Encryption Handbook, cited in Complaint ¶80(a)

“Defendant enriched itself by saving the costs they reasonably should have expended on data security measures to secure Plaintiff’s and Class Members’ PII.”

Societal Impact: Who Gets Hurt When Fintech Cuts Security Corners

Public Health: The Psychological Cost of Identity Exposure

The harms from a data breach extend well past the financial. The complaint documents a pattern of psychological and quality-of-life injuries that fall disproportionately on ordinary people with no way to protect themselves retroactively.

• Plaintiff George Mardikian experienced anxiety, sleep disruption, stress, fear, and frustration directly attributed to the breach. These are not incidental; the complaint identifies them as legally cognizable injuries that “go far beyond allegations of mere worry or inconvenience.”
• Victims of identity theft frequently face embarrassment, blackmail, and in-person or online harassment when stolen identities are used to commit crimes, open fraudulent accounts, or impersonate the victim to police. Mardikian and class members now live with this risk indefinitely.
• The average discovery time for identity theft is three months after the theft occurs. Some victims take up to three years to learn their information was misused. During that entire window, victims experience heightened vigilance and chronic low-grade stress with no resolution in sight.
• Fraudulent tax returns are discovered only after a legitimate return is rejected. Fraudulent loans and credit accounts appear on credit reports that most people check infrequently. This delayed discovery pattern turns a single breach event into a multi-year psychological ordeal.
• Spike in spam calls and scam texts, which Mardikian experienced immediately after the breach, represents an ongoing daily-life intrusion. Each unsolicited contact is a reminder of violated privacy and a potential entry point for further exploitation.

Economic Inequality: This Hits Harder if You’re Already Struggling

The economic consequences of a data breach are not evenly distributed. Customers with fewer financial resources face compounded, disproportionate harm when their mortgage-related financial data is stolen.

• Victims must spend considerable out-of-pocket money to mitigate breach consequences: credit freezes across multiple bureaus, identity theft protection services beyond what Figure’s free monitoring covers, legal consultation, and replacing compromised accounts. These costs land on customers who were already paying a lender for financial services.
• Lost wages from time spent mitigating the breach represent a real economic harm. Contesting fraudulent charges, disputing credit report errors, contacting creditors, and monitoring accounts all require time that hourly workers and small business owners cannot recover.
• Tax refund delays caused by fraudulent returns filed in victims’ names create acute cash flow problems for lower-income households that depend on annual refunds to pay down debt or cover large expenses. The fraudulent return has to be untangled before the legitimate refund is processed, a process that can take months.
• Home equity line of credit customers are homeowners, but homeownership does not equal financial cushion. Many HELOC customers use the product precisely because they need liquidity. Identity theft threatening their credit score or existing credit lines directly threatens their access to that liquidity at the moment they need it most.
• The Cisco Consumer Privacy Survey, cited in the complaint, found that 83% of consumers are willing to spend time and money to protect their data. Those who can least afford to spend are now being forced to spend the most, subsidizing Figure’s security failures with their own labor and money.
• “Fullz” packages built from this breach can be sold “over and over” to multiple criminal buyers. Each additional sale extends the period of risk and multiplies the number of potential bad actors targeting any single victim. There is no reset button.

The Cost of a Life: What Figure’s Savings Actually Bought

The complaint alleges Figure “calculated to avoid its data security obligations at the expense of Plaintiff and Class Members by utilizing cheaper, ineffective security measures.” The company saved money. Its customers are now paying the bill.

The Compliance Failures: Every Standard Figure Allegedly Ignored

The complaint identifies a multi-layered cascade of regulatory and industry failures. These are documented obligations, named frameworks, and specific laws. Figure allegedly failed to comply with all of them.

What Now: Your Rights, the Watchlist, and How to Fight Back

A class action complaint is a tool, but it is only useful if the people it was filed for know it exists and know how to participate. Here is the specific, actionable information you need right now.

If You Were a Figure Customer

• Check for a breach notice. Figure offered credit monitoring “to all individuals who receive a notice.” If you have a Figure Lending account and have not received a notification letter, that itself may be a violation of California and federal law. Document the absence of notice with a date.
• Place a credit freeze immediately at all three major bureaus: Equifax, Experian, and TransUnion. A freeze is free and prevents new accounts from being opened in your name. A credit monitoring service does not stop fraud; it only tells you after it happens.
• File a complaint with the FTC at IdentityTheft.gov. The FTC tracks breach-related identity theft and this creates a paper trail that strengthens class membership and regulatory pressure on Figure.
• Contact the class action attorneys. Rhine Law Firm (Ruth Sheehan, Joel Rhine) in Wilmington, NC, and Strauss Borrelli PLLC in Chicago, IL are counsel of record. Class membership is open to all U.S. residents whose PII was compromised in this breach and to California residents as a specific subclass.
• Document everything. Screenshot every spam call, scam text, suspicious email, and any sign of fraudulent activity. This documentation directly supports your individual damages claims within the class.

Regulatory Watchlist: Bodies That Should Be Acting on This

• CFPB (Consumer Financial Protection Bureau): The CFPB enforces Regulation P and the GLBA Privacy Rule for non-bank financial institutions. Figure is squarely in its jurisdiction. The CFPB has authority to levy civil penalties and require remediation. File at consumerfinance.gov/complaint.
• FTC (Federal Trade Commission): Enforces Section 5 of the FTCA, which the complaint specifically invokes. The FTC has brought enforcement actions against companies for exactly this pattern of failures. File at reportfraud.ftc.gov.
• FBI Internet Crime Complaint Center (IC3): ShinyHunters is already in the FBI’s sights. Reporting to IC3 at ic3.gov adds your data point to federal investigations and may accelerate action against the criminal group.
• California AG (Attorney General Rob Bonta): California’s CCPA and Customer Records Act give the AG enforcement authority over Figure’s conduct regarding California residents. The AG’s office can pursue civil penalties independent of the private class action. File at oag.ca.gov/contact/consumer-complaint-against-business-or-individual.
• North Carolina AG (Attorney General Jeff Jackson): Figure’s principal place of business is Charlotte, NC. North Carolina has identity theft and data breach notification statutes under which the AG can take independent action.

Mutual Aid and Grassroots Resistance

• Share the lawsuit, not just the news article. The actual complaint (Case No. 3:26-cv-00135, W.D.N.C.) is public record. Post it in community finance groups, Reddit personal finance threads, and housing advocacy spaces. Most people never see the primary document.
• Contact your local legal aid organization if you cannot afford to consult a private attorney. Many legal aid offices have consumer protection units that can help you understand your rights as a class member or assist with individual identity theft remediation at no cost.
• Organize locally. If you are in a HOA, neighborhood association, tenant union, or community group, raise awareness that this breach affects home equity borrowers specifically. Homeowners in financial distress are especially vulnerable to identity fraud targeting their property records and mortgage accounts.
• Push for stronger laws. Contact your federal and state representatives and specifically demand mandatory minimum cybersecurity standards for non-bank financial institutions under GLBA, stronger penalties for delayed breach notification, and a private right of action under federal law (not just California’s CCPA) for data breach victims.