Figure Lending breach probe

A law firm did not “find” a breach at Figure Lending this week. It announced on April 9, 2026 that it is investigating a breach Figure had already disclosed, which is a very different stage of the story. (prnewswire.com) The breach Figure described traces back to January 28, 2026, when data was obtained through queries on databases holding loan and loan-inquiry records. California’s attorney general site lists January 28, 2026 as the breach date in the company’s filing. (oag.ca.gov) Figure’s own notice says the exposed data could include a person’s name, Social Security number, address, phone number, email, date of birth, loan account number, and loan information. That is the kind of mix criminals use like a full application packet, not just a stray email list. (classactionu.org) Figure also said there was no evidence of unauthorized access to customer accounts and funds, and that operations continued without interruption. That narrows the problem from money moving out of accounts to personal data moving out of databases. (classactionu.org) The “nearly 1 million” figure appears to come from breach-tracking reports that put the count around 967,000 to 967,200 records. That number matters because Figure is not a social app with throwaway profiles; it is a lender handling identity data tied to borrowing. (prnewswire.com) (cybernews.com) Figure is not just a website that collects emails. Its privacy policy says it gathers Social Security numbers, taxpayer identification numbers, dates of birth, government identification documents, biometric information, income information, bank account and routing numbers, and transaction information when people use its services or apply for products. (figure.com) Its lending business is built around home-equity borrowing and related financial products, and Figure says Figure Lending LLC is a wholly owned subsidiary of Figure Technology Solutions. When a company in that business has a breach, the legal fight usually turns on whether it used security controls that match the sensitivity of mortgage-style data. (figure.com 1) (figure.com 2) That is why the new announcement is about lawyers, not hackers. Edelson Lechtzin is investigating possible claims on behalf of affected people, while an earlier proposed class action filed on February 19, 2026 already alleged that Figure failed to use reasonable cybersecurity safeguards and failed to give timely notice. (prnewswire.com) (classaction.org) The timing is part of the dispute. Figure’s notice letter is dated February 24, 2026, while public reporting and legal notices tied the incident to disclosures around February 13, 2026, after data was allegedly leaked by the group ShinyHunters. (classactionu.org) (prnewswire.com) Figure says it is offering two years of free credit monitoring and identity restoration through TransUnion, with enrollment by May 31, 2026. That is standard breach cleanup, but it does not answer the bigger question of whether the company’s safeguards were strong enough before January 28. (classactionu.org) So the real news is not that liability has been decided. The real news is that a breach involving lender-grade identity data, a record count near 1 million, and an active class-action pipeline is moving from incident response into the expensive phase where courts, regulators, and other finance companies start asking what “reasonable security” should have looked like. (prnewswire.com) (classaction.org)