Figure Lending, LLC, which markets itself as America’s #1 non-bank Home Equity Line of Credit lender, has been named in a proposed federal class action following a reported cyber incident that allegedly exposed customer personal information. Mardikian v. Figure Lending, LLC, 3:26-cv-00135 (W.D.N.C. Feb. 19, 2026). The complaint alleges that the company’s systems were improperly accessed and customers’ personally identifiable information was compromised.

The complaint highlights the growing litigation risk created when a company’s public-facing privacy representations are juxtaposed against breach allegations. It quotes Figure Lending’s privacy policy, stating it uses “reasonable precautions, including technical and administrative measures” to protect personal data. The complaint also quotes policy language stating the company does not sell personal data and is “committed to respecting your privacy choices.”

For fintech companies and mortgage providers, this case is a reminder that protecting sensitive financial and identity data must be treated as a core business control, not just an IT function, especially where plaintiffs may frame claims through financial-privacy statutes. The complaint alleges Figure Lending is a financial institution under the Gramm-Leach-Bliley Act (GLBA) and is subject to GLBA-related obligations, including the Safeguards Rule’s requirement for a written information security program with reasonable administrative, technical, and physical safeguards. It also alleges GLBA violations tied to sharing  personally identifiable information with a non-affiliated third party without an opt-out notice and a reasonable opportunity to opt out.

The Figure Lending complaint is a reminder that cybersecurity and privacy commitments rise and fall together. When an incident is alleged to stem from a human-layer attack like social engineering, attention often shifts beyond technical controls to governance, consumer communications, and whether an organization’s public privacy statements align with its security posture. For lenders and fintechs handling sensitive financial and identity data, that alignment (and the ability to provide timely, legally compliant notice) can be a consequential component of incident response.