Data breach
Stern v. Academy Mortgage Corporation
Date: Oct. 8, 2025
Issue: Whether a proposed class possessed standing and adequately stated claims in their lawsuit against Academy Mortgage Company over a data breach.
Case Summary: Judge David Barlow of the U.S. District Court of Utah refused to dismiss a data breach class action against Academy Mortgage Company.
Academy collects and stores sensitive Personally Identifiable Information (PII), including names, dates of birth, Social Security numbers, credit histories, income and other financial data. On March 21, 2023, Academy discovered the ransomware gang BlackCat/Alphv had infiltrated its computer network, compromising the PII of roughly 284,443 individuals. BlackCat claimed responsibility on its blog, demanded a ransom, and threatened to release the data. When Academy refused to pay, the group posted a large amount of stolen data — including mortgage applications, financial documents, driver’s licenses, passports, fingerprints, and signatures — on the dark web. Academy notified affected customers and employees on Dec. 20, 2023.
A proposed class sued Academy alleging it failed to protect customer and employee data. The class alleged ongoing harm, including increased spam calls, anxiety and efforts to prevent identity theft. Some class members claimed the breach led to identity theft, including fraudulent loans, unauthorized credit card activity, and verification attempts. The class contended Academy’s failure to secure their data directly caused these harms.
On June 27, 2025, Academy moved to dismiss the case. First, Academy argued plaintiffs lack Article III standing because they failed to allege a concrete injury and relied on speculation. Academy also argued that complaint fails to state a plausible claim for relief because the class did not adequately allege damages under Utah law and did not provide enough facts to support other essential elements of their claims.
Refusing to dismiss the entire case, the court ruled the class adequately alleged Article III standing. The court acknowledged that data breach cases pose unique challenges in demonstrating a concrete injury in fact. At the same time, the court relied on the prevailing rule from other circuits: plaintiffs must allege actual misuse of the stolen PII — such as identity theft, fraud, or publication on the dark web — to establish imminent harm. Addressing the alleged injuries — BlackCat publishing the stolen data on the dark web, along with fraudulent loan and credit card activity, the court determined these injuries created an imminent risk of harm and a favorable ruling could remedy them.
After finding Article III standing, the court declined to dismiss most claims. It allowed the negligence claim to proceed, determining the class alleged present injury from identity-theft risks, mitigation costs, and exposure of personal data — fitting within the independent-duty exception. The court also allowed the breach-of-implied-contract claim to proceed, concluding the privacy policy and the exchange of PII plausibly created enforceable obligations. The court also refused to dismiss claims for invasion of privacy and violations of the California Customer Records Act; California Consumer Privacy Act; and consumer protection laws in California, Washington and Idaho.
The court dismissed the plaintiffs’ unjust enrichment claim, finding they failed to show that Academy received or retained a direct, unjust benefit. Although the plaintiffs alleged they provided money, labor, or personal information from which Academy profited, the court held these allegations were insufficient because Academy did not obtain any benefit beyond the services it had already been paid to provide.
Bottom Line: The court dismissed only the unjust enrichment claim, while all other claims survived based on plausible allegations of harm and legal duty.
Document: Opinion
