CMG Mortgage Data Breach

San Ramon Based CMG Mortgage Reports Security Incident

On March 29, 2022, CMG Mortgage, Inc. reported that some of its customers may have had their personal information accessed by an unauthorized party.

CMG Mortgage Data Breach Details

The personal information involved may have included customers’:

  • Name
  • Address
  • Date of Birth
  • Social Security number
  • Driver’s license number
  • Bank account number
  • Loan application number

The full text of the CMG Mortgage Notice of Data Breach can be found here.

Special California Privacy Laws Protect You

California has laws that specifically protect your personal information.

  • The California Customer Records Act (Cal. Civil Code § 1798.80-84) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information.
  • The California Consumer Privacy Act (CCPA) (Cal. Civil Code § 1798.100-199.100) contains many protections for personal information of California residents.

If certain types of personal information, like Social Security numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA.

Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.

I received a Data Breach Notice from CMG Mortgage.  What should I do now?

CMG Mortgage suggests steps to take to protect your personal data, and is offering affected consumers a two-year membership in Experian’s IdentityWorksSM.

Be aware that the Data Breach Notice says consumers must enroll to take advantage of this offer, and there is an enrollment deadline to do so.

If I follow the steps in the CMG Mortgage Data Breach Notice, will that prevent my personal information from being sold on the dark web?

“Dark web” monitoring can sometimes tell you if your information is being offered for sale to cyber thieves but cannot actually prevent the sale of that information.

Experian’s IdentityWorksSM does provide for dark web monitoring. Unfortunately, if you are the victim of a data breach you will still need to be on the lookout.  You must remain ever watchful for unapproved credit card charges, identify theft, tax fraud and other illegal uses of your personal information.

As Electronic Personal Data Doesn’t Degrade, Two Years Of Identity Theft Services Offered by CMG Mortgage May Not Be Enough

Identity theft is on the upswing. For example, in Washington State, residents were sent 6.3 million data breach notices, the largest number on record.[1] By 2021, there were over 50 million personal records compromised nationwide; with the T-Mobile data breach alone affecting 6 million consumers. Even Equifax and Experian, which are in the business of offering credit monitoring services, have experienced massive data breaches, affecting over 150 million people.

Cyber crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is low (under $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021). Certain critical types of personal information – like Social Security numbers, names, and birth dates – are almost impossible to change. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.

Law enforcement is often unable to break the sophisticated encryption hiding these unlawful activities. The FBI’s Internet Crime Compliance Center received almost 800,000 complaints in 2020. This leaves identity theft victims to repair their misused credit scores, health insurance, and social security numbers.

Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.

Corporations Should Be Held Accountable For Data Breaches

Many businesses amass huge troves of personal data about consumers and keep that data indefinitely for future profits. When companies use this strategy, keeping your personal information secure from cyber criminals is their responsibility.  When you trust businesses with data that can be used to identify you, they owe you an obligation to use good privacy and security practices to keep your data safe.

This personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[2] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[3]

You Have Important Legal Rights Under California’s CCPA

The CCPA is the most comprehensive state privacy law in the country. It also provides consumers other important rights.  These include:

  • The right to see a copy of the personal data a business has collected about you, free of charge.
  • The right to find out why a business has collected your personal information, what it has shared (by category), who it was collected from (by source type), and who it has shared your data with (by category).
  • The right to have your personal information deleted from any business that collected it directly from you.
  • The right to find out if your data is being sold.
  • The right to opt-out of the sale of your data without being discriminated against.

When businesses decide to collect and keep personal data about California customers or visitors to their websites, under California law they take on the obligation to protect that information and keep it safe from hackers, thieves, and other criminals.


[1] Source: B. Ferguson, Attorney General, Washington State Attorney General’s Office, 2021 Data Breach Report (2021).

[2] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[3] Same