Figure Lending Class Action, Nearly 1 Million Customers Sue Over February 2026 Data Breach

Plaintiff George Mardikian filed a proposed federal class action lawsuit against Figure Lending LLC on February 19, 2026, in the U.S. District Court for the Western District of North Carolina. The complaint alleges Figure failed to protect nearly 1 million customers’ sensitive personal information from a social engineering cyberattack discovered on or around February 14, 2026. No settlement has been reached.

Quick Facts

What Actually Happened?

Figure Lending LLC, headquartered in San Francisco, California, markets itself as the largest non-bank home equity line of credit lender in the United States. The company uses the Provenance blockchain to process loan applications and claims to have facilitated over $22 billion in home equity transactions through partnerships with banks, credit unions, and fintech firms. Consumers who applied for loans through Figure — or through any of the company’s more than 240 lending partners — shared sensitive personal information as part of the application process, trusting Figure to keep it secure.

On or around February 13–14, 2026, the cybercriminal group ShinyHunters published 2.5 gigabytes of data allegedly stolen from Figure on a dark web leak site, claiming Figure had refused to pay a ransom. TechCrunch first reported the breach on February 13, 2026, after confirming the incident with a Figure spokesperson. Figure confirmed that a social engineering attack — specifically a “vishing” or voice phishing scheme — tricked an employee into providing system access credentials, allowing the attackers to download files from internal systems.

Independent breach notification service Have I Been Pwned later analyzed the leaked data and identified approximately 967,200 unique accounts affected, with the exposed records including names, phone numbers, physical addresses, email addresses, and dates of birth. On February 19, 2026, plaintiff George Mardikian filed a 46-page proposed class action complaint in North Carolina federal court, arguing Figure’s failure to train employees and maintain adequate security protocols directly enabled the breach.

What Does the Lawsuit Allege?

According to the complaint, Figure Lending failed to adequately train its employees on cybersecurity threats and did not maintain reasonable security safeguards or protocols to protect customer information from foreseeable attacks. The complaint directly quotes Figure’s own privacy policy — which states the company uses “reasonable precautions, including technical and administrative measures” to protect personal data and is “committed to respecting your privacy choices” — and alleges Figure’s actual security practices fell far short of those representations. The complaint argues these public assurances created a duty that Figure breached.

The complaint also alleges Figure failed to notify affected consumers in a timely manner after discovering the breach. According to Law.com Radar’s case summary, the stolen data was published on the dark web and the breach was publicly reported by TechCrunch on February 13, 2026 — yet Figure did not immediately send breach notifications to all affected individuals. The complaint claims this delay left consumers unable to take protective steps — such as placing credit freezes or monitoring their accounts — while their data circulated among cybercriminals.

The complaint further alleges that Figure’s remediation response — offering free credit monitoring to affected individuals — is wholly insufficient to compensate victims for the injuries inflicted. According to the filing, static identifiers like dates of birth and home addresses cannot be changed the way a credit card number can, meaning the harm from their exposure is permanent and ongoing. The lawsuit seeks damages on behalf of all U.S. residents whose personal information was compromised.

Related article: Walmart Spark $100 million Driver Pay Settlement, Did They Underpay You? Are You Eligible to Claim?

What Laws Were Allegedly Violated?

• Negligence (common law tort) — The core claim alleging Figure owed a duty of care to protect consumers’ data, breached that duty by failing to implement and enforce adequate security measures, and that this breach directly caused harm to consumers whose data was stolen and published.
  
• Breach of implied contract (common law) — When consumers submitted personal information to Figure as part of a loan application, the complaint alleges an implied agreement existed that Figure would safeguard that data; the breach allegedly violated that agreement.
  
• California Consumer Privacy Act (CCPA, Cal. Civ. Code § 1798.100 et seq.) — California’s landmark data privacy law gives residents the right to know how their data is collected and used, and provides a private right of action when sensitive personal information is compromised due to a business’s failure to implement reasonable security; the complaint names a California subclass of affected consumers.
  
• California Unfair Competition Law (UCL, Cal. Bus. & Prof. Code § 17200 et seq.) — State law prohibiting unfair or deceptive business practices; the complaint alleges Figure’s public privacy representations and actual security practices were materially inconsistent, constituting an unfair and deceptive business practice.
  
• Unjust enrichment (common law) — The complaint alleges Figure collected and monetized consumers’ personal data as part of its lending business while failing to invest adequately in protecting it, unjustly retaining benefits at consumers’ expense.
  

Note: Additional state law claims may be confirmed when the full complaint becomes publicly available on PACER.

Who Does This Lawsuit Affect?

• You may be affected if you applied for a home equity line of credit, mortgage, or any other loan product directly through Figure Lending.
• You may be affected if you applied for a loan through any of Figure’s more than 240 lending partner institutions, as the Provenance blockchain platform integrates partner data.
• You may be affected if your data was included in the January–February 2026 breach, which the lawsuit covers.
• You may be affected if you received a breach notification letter or email from Figure Lending regarding the February 2026 incident.
• You may be affected if you are a California resident whose personal information was compromised — the complaint names a separate California subclass with additional claims under the CCPA.
• You may be affected even if you did not complete a loan application — partial applications submitted through Figure or its partner platforms may have involved the collection and storage of personal data.

You can check whether your email address appears in the leaked data by visiting HaveIBeenPwned.com and entering the email address you used for any Figure loan application or account.

No action is required right now. Save any purchase records, receipts, or confirmation emails — these may matter if a settlement is reached.

What Is the Company Saying?

Figure Lending has publicly acknowledged the breach and provided a statement through spokesperson Alethea Jadick, which TechCrunch reported on February 13, 2026. The company stated: “We recently identified that an employee was socially engineered, and that allowed an actor to download a limited number of files through their account. We acted quickly to block the activity and retained a forensic firm to investigate what files were affected. We understand the importance of these matters and are communicating with partners and those impacted as appropriate.”

Figure is offering free credit monitoring to all individuals who receive a breach notification. The company has characterized the breach as affecting “a limited number of files” — a description that stands in contrast to independent security researcher Troy Hunt’s analysis of the leaked data, which identified approximately 967,200 unique email addresses associated with Figure customers, as TechCrunch reported on February 18, 2026.

Figure has not issued a public statement specifically addressing the class action lawsuit filed by Mardikian as of March 12, 2026. The company’s litigation defense will likely argue that it responded promptly once the breach was discovered, that the attack exploited human vulnerability rather than a technical flaw in its systems, and that its credit monitoring offer represents a reasonable remediation effort. AllAboutLawyer.com will update this article when Figure responds formally in court.

What Happens Next?

• Figure files its answer or a motion to dismiss — Figure will formally respond to the complaint in court, either contesting the legal sufficiency of the claims outright or filing a line-by-line answer. Motions to dismiss are common in data breach class actions, where defendants frequently challenge whether plaintiffs have demonstrated concrete injury.
• Discovery begins — Both sides will exchange evidence, including Figure’s internal communications about the breach, employee cybersecurity training records, security audit reports, and the forensic investigation findings. This phase typically runs 12 to 24 months.
• Class certification hearing — Mardikian must ask the court to certify the case as a class action so it can proceed on behalf of all similarly situated U.S. consumers and the California subclass. Class certification is a critical milestone — if denied, only Mardikian’s individual claims continue.
• Potential settlement negotiations — The majority of data breach class actions resolve through settlement rather than trial. No settlement discussions have been publicly reported, and no settlement has been reached at this stage.
• Trial — If no settlement is reached and the class is certified, the case proceeds to trial. Given the current early stage of litigation, a trial date — if ever set — is realistically several years away.

This page will be updated as the case develops.

Important Case Dates

Frequently Asked Questions

Is the Figure Lending data breach lawsuit real?

 Yes. George Mardikian, et al. v. Figure Lending LLC, Case No. 3:26-cv-00135, is a real proposed class action filed February 19, 2026, in the U.S. District Court for the Western District of North Carolina. The case is confirmed on the court’s official PACER docket. The breach itself is also confirmed — Figure publicly acknowledged it on February 13, 2026.

Can I file a claim against Figure Lending right now? 

No. No claim form exists and no settlement has been reached. The case is in its earliest stage — a complaint has been filed but no class has been certified and no settlement fund has been established. If a class settlement is approved in the future, eligible consumers will receive official notice with instructions for submitting a claim.

Do I need a lawyer to join this lawsuit?

 No. If the court certifies this as a class action, eligible U.S. consumers are typically included automatically without hiring their own attorney. Class counsel represents the group. If you suffered documented financial losses — such as costs from identity theft or fraud directly linked to this breach — consulting a data breach attorney about your individual options may be worthwhile.

What happens if the case settles? 

If a settlement is approved, the court supervises a claims process and eligible class members receive notice — typically by email — with instructions for submitting a claim. Compensation in similar data breach settlements has ranged from small pro rata cash payments to several thousand dollars for consumers who can document specific financial losses. No settlement has been reached here as of March 2026.

Will I get notified if there is a settlement? 

Yes, typically. Settlement administrators send notice to identified class members once a settlement receives court approval. Because Figure holds email addresses and contact information for affected customers, direct email notification is likely if a settlement is reached. Saving any Figure correspondence now strengthens your ability to verify eligibility.

What data was stolen in the Figure Lending breach? 

According to the Have I Been Pwned analysis of the leaked data, the stolen records included full names, home addresses, email addresses, phone numbers, and dates of birth. The data dated back to January 2026 and covered approximately 967,200 unique accounts. Figure described the stolen information as coming from “a limited number of files.”

Is the data from the Figure breach on the dark web right now? 

Yes. The cybercriminal group ShinyHunters published 2.5 gigabytes of data allegedly stolen from Figure on a dark web leak site after Figure reportedly declined to pay a ransom. The data has also been catalogued by Have I Been Pwned, a reputable breach notification service. You can check whether your email address appears in the breach at HaveIBeenPwned.com.

Should I be worried about identity theft if my data was exposed? 

The exposed data — particularly the combination of full name, date of birth, home address, and phone number — gives criminals enough information to attempt impersonation, open fraudulent accounts, or craft targeted phishing attacks. Unlike a credit card number, a date of birth cannot be changed. If you received a breach notification, enroll in the free credit monitoring Figure is offering and consider placing a free credit freeze with Equifax, Experian, and TransUnion as an added protective measure.

Data breach class actions involving fintech companies follow a well-established litigation path. Readers tracking similar active cases can review AllAboutLawyer.com’s coverage of the Under Armour data breach class action, where plaintiffs allege a ransomware group stole 343 gigabytes of customer data after the company failed to implement adequate security measures. For context on how fintech breach cases have resolved, the Nelnet data breach settlement produced a $10 million fund paying up to $5,000 for consumers with documented losses after a breach affecting over 2.5 million borrowers.

Sources & References

• Mardikian v. Figure Lending LLC, Case No. 3:26-cv-00135 — U.S. District Court, Western District of North Carolina — PACERMonitor public docket: pacermonitor.com/public/case/63206555/Mardikian_v_Figure_Lending,_LLC
• Justia public docket — Mardikian v. Figure Lending LLC: dockets.justia.com/docket/north-carolina/ncwdce/3:2026cv00135/122708
• TechCrunch — “Fintech lending giant Figure confirms data breach,” Lorenzo Franceschi-Bicchierai, February 13, 2026 (credible news source)
• TechCrunch — “Data breach at fintech giant Figure affects close to a million customers,” February 18, 2026 (credible news source)
• BleepingComputer — “Data breach at fintech firm Figure affects nearly 1 million accounts” (credible security news source)
• American Banker — “Data breach hits 1 million Figure customers,” February 2026 (credible industry news source)
• National Law Review — “Figure Lending Class Action Highlights a Familiar Threat” (credible legal news source)
• Law.com Radar — Mardikian v. Figure Lending LLC case summary (credible legal news source)
• SecurityWeek — “Nearly 1 Million User Records Compromised in Figure Data Breach” (credible security news source)

Last Updated: March 12, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.

About the Author

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah