Figure Lending, a subsidiary of Figure Technology Solutions and one of the largest non-bank HELOC lenders in the United States, is now facing a federal class action lawsuit after a data breach in February 2026 exposed the personal information of approximately 967,000 individuals. The lawsuit, filed as *Mardikian v. Figure Lending, LLC* (Case No. 3:26-cv-00135) in the U.S. District Court for the Western District of North Carolina on February 19, 2026, alleges the company failed to maintain adequate security safeguards required under the Gramm-Leach-Bliley Act. The breach originated from a vishing attack — a voice phishing scheme — in which a single employee was tricked into handing over login credentials, giving the hacking group ShinyHunters access to roughly 2.5 GB of customer data.
The fallout has been swift. ShinyHunters claimed responsibility on its dark web leak site on February 13, 2026, the same day Figure publicly confirmed the breach. After the company refused to pay a ransom, the group published the stolen data. For the nearly one million affected customers, the exposed information includes names, dates of birth, email addresses, phone numbers, and physical home addresses. Figure has stated that Social Security numbers, customer funds, and its Provenance Blockchain were not compromised, though that distinction offers limited comfort to those whose personal details are now circulating freely.
Table of Contents
- What Led to the Figure Lending Class Action Over the February 2026 Data Breach?
- What Personal Data Was Exposed and What Wasn’t?
- Who Is ShinyHunters and Why Does Their Involvement Matter?
- What Should Affected Figure Lending Customers Do Now?
- What Are the Legal Claims and What Could a Settlement Look Like?
- Figure’s Breach Notification and Regulatory Response
- What the Figure Breach Means for Fintech Security Going Forward
- Frequently Asked Questions
What Led to the Figure Lending Class Action Over the February 2026 Data Breach?
The class action traces directly back to a social engineering failure. Unlike many high-profile breaches involving zero-day exploits or sophisticated malware, the Figure breach started with a phone call. ShinyHunters, a threat group that Google Threat Intelligence has flagged for escalating operations using advanced vishing techniques, targeted a Figure employee and convinced them to reveal their login credentials. That single point of failure gave attackers access to internal systems and the ability to exfiltrate 2.5 GB of data covering nearly a million accounts. It is a stark reminder that even companies built on blockchain technology are only as secure as their weakest human link.
The lawsuit was filed just six days after Figure confirmed the breach publicly. Plaintiff Mardikian alleges that Figure Lending, as a financial institution, was bound by the GLBA’s Safeguards Rule, which requires companies handling consumer financial data to maintain a written information security program with reasonable administrative, technical, and physical protections. The complaint argues Figure failed on that front. By comparison, a company like a regional credit union handling far fewer accounts would face the same regulatory obligations — the scale of Figure’s operations made the absence of adequate safeguards all the more glaring. Beyond the Safeguards Rule violation, the lawsuit raises a more unusual GLBA claim: that by allowing hackers to access personally identifiable information, Figure effectively shared customer data with a non-affiliated third party without providing the required opt-out notice or a reasonable opportunity to opt out. This legal theory treats the breach not merely as a security failure but as a privacy violation under federal financial regulation, which could broaden the scope of potential liability.
What Personal Data Was Exposed and What Wasn’t?
The breach compromised a specific set of personal information: names, dates of birth, email addresses, phone numbers, and physical home addresses. While this does not include the most sensitive financial identifiers, it is far from harmless. A date of birth combined with a home address and phone number gives bad actors enough to attempt identity verification bypasses at banks, insurance companies, and government agencies. Criminals can also use this data for highly targeted phishing campaigns, since they can reference real details to make fraudulent communications appear legitimate. Figure has emphasized that Social Security numbers and customer funds were not part of the stolen data, and that its Provenance Blockchain remained unaffected. However, affected individuals should not take this reassurance at face value without some caution.
Breach investigations evolve, and initial assessments of what was and was not compromised sometimes change as forensic analysis deepens. The Massachusetts Attorney General notification filed around February 24, 2026 reflects the data types currently understood to be exposed, but if your data was in Figure’s systems, monitoring your accounts remains prudent regardless of what the company says was or was not taken. It is also worth noting that even “limited” personal data breaches carry long-tail risks. Home addresses do not change frequently. Dates of birth never change. This information can be combined with data from other breaches to build comprehensive profiles used for fraud, a tactic known as data enrichment that has become standard practice in criminal marketplaces.
Who Is ShinyHunters and Why Does Their Involvement Matter?
ShinyHunters is not a new name in cybersecurity circles. The group has been linked to numerous high-profile breaches over the past several years, targeting companies across technology, retail, and financial services. Their involvement in the Figure breach is consistent with a pattern Google Threat Intelligence has documented: an escalation in operations using sophisticated vishing techniques. Rather than relying solely on technical exploits, ShinyHunters has increasingly turned to social engineering, manipulating employees directly to gain access. The group’s decision to publish the stolen data after Figure refused to pay a ransom follows a predictable playbook.
Threat groups like ShinyHunters use public data dumps both as punishment for non-payment and as a reputation-building exercise — demonstrating to future targets that refusal to negotiate carries real consequences. For affected Figure customers, the publication of their data means it is not sitting behind a paywall on a dark web marketplace; it is freely available to anyone looking for it. This significantly increases the likelihood that the data will be exploited by a wide range of bad actors, not just the original attackers. The vishing method used here is particularly concerning for the broader financial services industry. Technical defenses like firewalls, encryption, and multi-factor authentication can be rendered meaningless if an employee can be talked into giving up their credentials over the phone. Companies that have not invested in rigorous social engineering awareness training and verification protocols for credential requests are vulnerable to the same type of attack.
What Should Affected Figure Lending Customers Do Now?
If you are among the approximately 967,000 individuals whose data was exposed, there are practical steps you should take immediately, even though Social Security numbers were reportedly not involved. First, change the password on any account where you used the same email address and password combination associated with your Figure account. Credential stuffing attacks — where stolen login details from one breach are tested against other services — remain one of the most common forms of account compromise. Second, enable multi-factor authentication on your email, banking, and financial accounts if you have not already. Since your phone number was exposed, be aware that SMS-based two-factor authentication is less secure than app-based authenticators like Google Authenticator or Authy, because attackers with your phone number may attempt SIM-swapping attacks to intercept text messages.
The tradeoff is convenience versus security: SMS verification is better than nothing, but an authenticator app is meaningfully more resistant to the specific threats created by this breach. Third, be vigilant about unsolicited phone calls and emails. With your name, date of birth, address, and phone number in hand, scammers can craft convincing impersonations of your bank, insurance company, or even government agencies. If someone calls asking you to verify personal information, hang up and call the institution directly using the number on their official website. This is exactly the type of vishing attack that compromised Figure in the first place — do not let the same technique be turned against you.
What Are the Legal Claims and What Could a Settlement Look Like?
The *Mardikian v. Figure Lending* lawsuit is currently a proposed class action, meaning it has been filed but the class has not yet been certified by the court. Certification is a critical hurdle. The court will need to determine whether the claims of the nearly one million affected individuals are sufficiently similar to be handled as a single case. Given that the same breach exposed the same categories of data for all affected users, certification is plausible, but it is not guaranteed — defendants routinely challenge class certification, and the process can take months or longer.
The GLBA-based claims give the lawsuit a somewhat distinctive legal foundation compared to many data breach class actions, which often rely on state consumer protection statutes or negligence theories. The Safeguards Rule argument is straightforward: Figure was required to have adequate protections and allegedly did not. The opt-out notice theory is more novel and may face legal scrutiny, as courts have not uniformly accepted the argument that a hacker’s unauthorized access constitutes “sharing” under the GLBA’s privacy provisions. Multiple law firms, including Lynch Carpenter LLP, are investigating additional claims and accepting affected clients. If you received a breach notification from Figure, you do not need to take immediate legal action to preserve your rights — class actions typically have opt-out deadlines that come later in the process. However, holding onto any correspondence from Figure about the breach is important, as it may serve as evidence of your membership in the affected class.
Figure’s Breach Notification and Regulatory Response
Figure filed a breach notification with the Massachusetts Attorney General on approximately February 24, 2026, roughly 11 days after publicly confirming the breach. Massachusetts is one of several states with mandatory breach notification laws that require companies to alert both regulators and affected individuals within a defined timeframe. The fact that this notification is on record means Massachusetts residents, at minimum, should expect to receive direct communication from Figure about the breach and any remediation services being offered.
It remains to be seen whether other state attorneys general will open their own investigations or whether federal regulators will take action. Data breaches affecting financial institutions often draw attention from the Federal Trade Commission, which enforces the GLBA’s Safeguards Rule. For context, the FTC’s 2023 update to the Safeguards Rule specifically strengthened requirements around access controls and employee training — the very areas where Figure’s defenses appear to have failed.
What the Figure Breach Means for Fintech Security Going Forward
The Figure breach is likely to accelerate regulatory and industry scrutiny of fintech companies’ security practices, particularly around social engineering defenses. Traditional banks have decades of experience with internal security protocols, branch-level verification procedures, and regulatory examinations. Fintech firms, even well-funded ones like Figure, often operate with leaner teams and faster-moving cultures that can leave gaps in employee security training.
The fact that a single vishing call could compromise a company serving nearly a million customers will not go unnoticed by regulators. For consumers, the broader takeaway is that the fintech label does not automatically mean better or worse security than a traditional bank. What matters is how seriously a company takes operational security at every level, from its blockchain infrastructure down to whether an employee knows not to give out credentials over the phone. As vishing attacks grow more sophisticated and threat groups like ShinyHunters continue to refine their techniques, the companies that invest in human-layer security — not just technical defenses — will be the ones that avoid becoming the next cautionary example.
Frequently Asked Questions
Was my Social Security number exposed in the Figure Lending data breach?
According to Figure, Social Security numbers were not compromised in the breach. The exposed data included names, dates of birth, email addresses, phone numbers, and physical home addresses. However, breach investigations can evolve, so monitoring your credit reports as a precaution is still advisable.
Do I need to sign up with a lawyer to be part of the Figure Lending class action?
No. If the class is certified by the court, affected individuals are typically included automatically unless they choose to opt out. You do not need to retain an attorney to be a class member, though consulting one can help you understand your options. Multiple firms, including Lynch Carpenter LLP, are currently investigating claims.
Is there a settlement I can file a claim for right now?
No. The lawsuit (*Mardikian v. Figure Lending, LLC*, Case No. 3:26-cv-00135) was filed on February 19, 2026 and is in its early stages. There is no settlement at this time. If a settlement is reached in the future, affected individuals will be notified about how to file a claim.
How do I know if I was affected by the Figure data breach?
Figure filed a breach notification with the Massachusetts Attorney General on approximately February 24, 2026, and is expected to notify affected individuals directly. If you were a customer of Figure Lending or Figure Technology Solutions, watch for correspondence from the company. You can also check the Massachusetts AG’s website for the filed notice.
Should I freeze my credit even though SSNs were not exposed?
A credit freeze is a strong precautionary measure, but it may be less urgent in this case since Social Security numbers reportedly were not compromised. However, if you want maximum protection — especially given that your date of birth and home address were exposed — placing a freeze with all three major credit bureaus (Equifax, Experian, and TransUnion) is free and can be lifted temporarily when you need to apply for credit.
What is vishing and how did it cause the Figure breach?
Vishing, or voice phishing, is a social engineering attack conducted over the phone. In this case, the hacking group ShinyHunters used a vishing call to trick a Figure employee into revealing their login credentials, which allowed the attackers to bypass the company’s internal security and access customer data. It is a growing threat that targets people rather than technology.
You Might Also Like
- Capital Health Data Breach Class Action Settlement: Claim Form Details
- 23andMe Customer Data Security Breach Class Action Settlement: Claim Form Details
- 23andMe Customer Data Security Breach Settlement Deadline: What To Do Before February 17, 2026