Union Home Mortgage data breach: Lessons and hardening checklist for CISOs

When hackers steal your customer or employee data, the ripple effect is profound and lasting for them. It's also expensive for you. A class action lawsuit filed this week in the Northern District of Ohio against Union Home Mortgage is a reminder that cybersecurity standards are not theoretical checkboxes. They can be the difference between containing an intrusion and incurring catastrophic losses.

Union Home Mortgage data breach: What we know

Confirmed facts from UHM’s notice

Union Home Mortgage Corporation (UHM) reported that files containing personal information were accessible to an unauthorized party in 2025. In September 2025, UHM notified regulators and affected individuals. State postings and UHM’s own notice materials confirm exposure of names, Social Security numbers, driver’s license or state ID numbers, full dates of birth, passport numbers, and financial and banking information. Public counts include 1,650 affected Washington residents, 24,160 Texans, and a small number of Massachusetts residents. These items are facts taken from government postings or UHM’s notices.

Allegations in the class action

A putative class action followed. The complaint alleges that UHM failed to use reasonable safeguards such as strong encryption, network segmentation, timely patching, continuous monitoring, and prompt notice, and that public assurances of industry-recognized safeguards did not match reality. These specifics are allegations unless proven or admitted. The confirmed data categories and victim counts asserted by attorneys general above can be treated as facts.

Why reasonable security safeguards matter for CISOs

Reasonable security in practice maps to NIST CSF 2.0, CIS Critical Security Controls, and the GLBA Safeguards Rule. Encryption of persistent identifiers, multi-factor authentication on systems with customer data, network segmentation to limit lateral movement, timely patching, continuous monitoring with alerting, data minimization and purging, vendor governance, tabletop exercises, and independent testing are the baseline. If these are weak or inconsistent, one intrusion can become a long-lasting liability for customers and the business.

Data breach cost estimates based on Target and Capital One

Scale drives dollars. Target’s 2013 breach affected about 40 million payment cards and up to 70 million people’s personal records. Capital One’s 2019 incident affected about 100 million people in the United States and about six million in Canada. UHM’s publicly confirmed victim counts are far smaller. So far, public filings account for 25,810 affected people; the nationwide total may be higher.

On this scale, expectations are:

• Credit monitoring and call center operations likely land in the single-digit millions at current counts if coverage runs 12 to 24 months at standard breach rates.
• Legal defense and forensics are largely fixed costs and remain a multi-million-dollar obligation even when comparatively fewer people are affected.
• Consumer settlements tend to track per-capita more than raw volume. Mega-breaches often resolve near a dollar or two per person for consumer classes. Smaller groups of victims that involve Social Security numbers and government IDs can settle higher per head yet still total in the high seven to low eight figures.
• Cyber insurance renewals typically rise and tighten established terms after an incident, extending costs beyond year one.

If present counts hold, a realistic exposure for UHM sits in the low eight-figure range, with risk for more if additional state victim tallies raise the total.

Industry-Standard Safeguards in 2025

These are the controls most major frameworks agree on. They’re the baseline of a well-rounded cybersecurity control stack.

• Asset inventory and control. Keep an accurate, living inventory of hardware, software, accounts, and data locations. Apply access and monitoring controls to the contents of that inventory so nothing runs or reaches data without being known first.  
• Strong identity and least privilege. Enforce multifactor authentication, strictly allocate admin rights, scope access privileges to the task, and monitor use of sensitive roles.  
• Data protection. Encrypt sensitive data in transit and at rest, manage and rotate keys automatically, and enforce access according to data classification labeling. Securely destroy data on an established retention schedule.  
• Secure configuration. Harden operating systems and apps, disable unneeded services, and apply secure defaults consistently.  
• Vulnerability and patch management. Prioritize, patch, and harden quickly based on exploitability and impact; verify with scanning.  
• Network segmentation and controlled pathways. Limit lateral movement with segmentation and explicit permissive rules or policies for specific ports, protocols, and destinations.  
• Application control. Limit application execution to approved software and scripts; block unknown tools by default.  
• Logging and continuous monitoring. Collect and retain audit logs, detect anomalous behavior, and alert against policy violations.  
• Backup and recovery. Maintain tested, reliable backups, including offline or immutable copies, and time your recovery objectives against real risks.  
• Incident response. Keep a written, rehearsed playbook with roles, communications, containment, and recovery steps. Practice it regularly through planned tabletop exercises.  
• Third-party risk. Maintain an inventory of service providers, specify security requirements in their contracts, and monitor access and performance metrics.  
• Awareness and drills. Train employees and third parties in phishing, data handling, and reporting; run tabletops and post-mortems to improve.  

Why these? You’ll find the same themes across NIST CSF 2.0, CIS Critical Security Controls v8.1, CISA’s Cross-Sector Cybersecurity Performance Goals, and the FTC’s GLBA Safeguards Rule for financial data.  

One-week PII breach hardening checklist

CISOs can materially reduce breach exposure with this focused one-week sprint:

IT operations

• Locate systems that store SSNs and government ID numbers. Confirm encryption at rest and enforce TLS for every connection. Manage keys with a hardware secrets manager (HSM) or key management system (KMS).
• Restrict user accounts and endpoints to only executing signed scripts for approved use cases.
• Search audit logs for the last 30 days of scheduled tasks and automatic processes. Find and disable unnecessary and high-risk executables.
• Ensure backups include an offline or immutable copy for all critical datasets. Validate they can successfully recover by restoring them on a regular schedule.

GRC & Compliance

• Verify the applicability and completeness of the roles, escalation paths, and notification timelines included in the incident response playbook. Ensure the playbook includes role procedures for outside counsel and incident communication.
• Confirm GLBA Safeguards Rule requirements is in scope: enforce MFA for privileged access, encrypt data where feasible, and dispose data according to your industry’s data classification and retention schedules. Apply monitoring and logging controls, including duties to review and response to alerts.
• Review cyber insurance policy conditions. Note the specified incident notification timing, third-party vendor requirements, and any exclusions.

Security architects

• Enable default-deny application control for a pilot group of endpoints. Approve only the executables and paths that are required. Once satisfied with the inventory of approved applications, apply to the remainder of the organization’s endpoints.
• Add application containment rules. Block Office and PDF tools from launching or laterally moving to unnecessary and potentially malicious vectors, like scripting engines. Block outbound network calls from those apps and restrict write access to sensitive files and folders.
• Apply firewall rules that deny all traffic by default. Permit specific network sockets or protocols explicitly.
• Tighten access to PII repositories. Remove any standing admin rights and apply just-in-time-administration (JITA) to the remaining necessary privileged accounts. Rotate service account credentials and scope them to the task.

CISOs and security leaders

• Request a dashboard report of endpoints without application allowlisting, endpoints that allow unsigned script execution, and users with admin rights. Remediate each in 30 days and assign an owner.
• Approve a purge plan for unnecessary PII like SSNs and user IDs. Assign data owners and set a date to delete or archive sensitive data securely.
• Run a 90-minute tabletop exercise that emulates theft of SSNs and user IDs. Include legal, communications, customer support, and IT teams, ensuring to capture and document actions with assigned owners and remediation timelines.
• Prepare presentation materials on expected costs for a PII breach at today’s user headcount. Include credit monitoring, legal, settlements, and insurance premium increases. Use it to secure budget for prevention.

Next step: Harden before the next incident

Breaches like UHM’s demonstrate that default-allow security is no longer sufficient. A default-deny posture stops intruders from executing unknown tools, moving laterally, and exfiltrating PII.

How ThreatLocker Helps

ThreatLocker Application Allowlisting. Only approved software runs. This stops ransomware and post-exploitation tools before they execute.

ThreatLocker Ringfencing^™. Approved apps stay in their lane. Block scripting engines, unwanted child processes, and unapproved network calls.

ThreatLocker Elevation Control. Elevate applications, not users. Grant just-in-time admin rights with expiry and full audit.

ThreatLocker Network Control. Allow only approved applications to talk to approved destinations and ports. Reduce lateral movement and backdoors for command and control.

ThreatLocker Storage Control. Block USB access by default. Allow only approved devices and limit write access to sensitive file shares.

‍