Union Home Mortgage says it paid a ransomware gang to delete sensitive data they stole in a cyberattack last year. 

The nonbank lender made the admission last month in federal court, part of a motion to dismiss a class action lawsuit from borrowers affected by the hack. The company also described how the initial breach occurred, but has not yet revealed the full number of affected customers nationwide. 

Consumers sued UHM last fall for negligence and other civil counts, after the firm notified affected customers and state officials of the June incident. Several lawsuits were consolidated in an Ohio federal court, and UHM last month filed its motion to dismiss, claiming among other reasons that plaintiffs weren't harmed by the lender hack, specifically. 

"Even if the data from the breach were posted (online), it would not diminish the value of plaintiffs' personal information because that information has already been available on the dark web as a result of prior breaches of other entities," wrote attorneys for the lender. 

The company and its Chief Information Officer Mark Langhans described in filings how they responded to the ransomware gang known as Qilin, which threatened to release stolen data if UHM didn't pay up. The lender paid Qilin on the condition the gang would delete the stolen data and not target them again, and Qilin agreed to those terms, including providing proof it deleted the data. 

It's a rare admission by a mortgage company of paying cybercriminals to free their data. Many firms remain mum on the circumstances of cybersecurity incidents, let alone how many of their customers were harmed or how much the incident cost the company. 

Union Home Mortgage CEO Bill Cosgrove in an email Tuesday evening said his company has no evidence its customers' data was actually breached or harmed in any way. An attorney for UHM meanwhile deferred comment to the filings' contents. 

An attorney for plaintiffs didn't return messages seeking comment. 

How hackers breached Union Home Mortgage

UHM said it discovered its network was infiltrated on June 25, 2025 and hired consulting firm Charles River Associates to investigate. 

Their probe determined that a UHM employee accessed a "legitimate third-party business website" on May 27, 2025, on which Qilin implanted malicious software. The bug caused the employee's browser to allow a malicious script to install and run malware on their computer. Filings don't state which website the employee visited. 

Qilin compromised other employee accounts, installed ransomware to encrypt other parts of the lenders network, and exfiltrated personally identifiable information of customers and former employees, according to filings. The firm didn't say when it paid the ransom, or how much it was. 

Following the incident, the lender implemented a host of cybersecurity upgrades, including web filtering to prevent malware from being downloaded from websites, Langhans wrote. 

At least 25,000 consumers were affected by the hack, according to public notices in several state attorneys general databases.

Why Union Home Mortgage wants the lawsuit tossed

Following the payout, Charles River Associates monitored the dark web and found no signs that UHM data was posted online. Rather, the firms found that plaintiffs' PII was publicly available as a result of prior hacks at other companies. 

UHM argues that plaintiffs lack standing, because they haven't proved any misuse of their PII. Similar to other lenders' defense of data breach claims, UHM also suggests plaintiffs can't plausibly allege which wrongful actions, or inactions, by the company allowed the attack to occur. 

Plaintiffs have yet to reply to UHM's motion. 

The Strongsville, Ohio-based firm is no stranger to litigation, lately targeting its former employees for allegedly lifting trade secrets to their new jobs.  A federal judge partially ruled in the lender's favor last month in one of those cases, barring eight ex-loan officers from working in their home jurisdictions in accordance with their UHM agreements.