The four month gap between discovery and public notice, paired with a data mix designed to enable loan fraud, sets this breach apart from a routine credit card spill.
When hackers steal a credit card number, the victim can cancel it. When they steal a Social Security number alongside a mortgage application, with the borrower's name, address, loan amount, and property address attached, the resulting fraud has a much longer fuse and a much heavier payoff. That is the risk profile facing the up to 137,976 people caught in Plaza Home Mortgage's February 2026 breach, which the San Diego-based lender disclosed publicly this week.
Plaza confirmed that the data set potentially exposed goes well beyond the usual name-and-email spill. According to the investigation announcement from Edelson Lechtzin LLP relaying Plaza's own breach notification, the compromised information includes names, addresses, Social Security numbers, dates of birth, driver's licenses or other government identification, and details tied to mortgage loan applications and servicing. The investigation was announced on June 12, 2026, roughly four months after Plaza detected suspicious network activity on February 17, 2026. The lender's corporate site, plazahomemortgage.com, confirms the company's NMLS identifier (2113) and San Diego headquarters.
The reason this combination matters is the specific fraud it enables. With a Social Security number and a real mortgage history in hand, a criminal can pose as the borrower to a different lender and apply for a home equity line or cash-out refinance. The lender's underwriting checks will find an existing loan, a real property, and a real payment history, which can make a fraudulent application look ordinary rather than anomalous. The same data set supports fraudulent IRS filings using the victim's real wage and withholding history, and it gives identity thieves the kind of long-lived, KYC-passing persona that survives most anti-fraud screening. A stolen card number, by contrast, is usually dead within hours of detection.
The breach vector, as Plaza described it, was unauthorized access to an employee's computer. That phrasing covers a wide range of possible intrusions, from credential theft and remote access misuse to phishing or malware on a single endpoint, and Plaza has not publicly identified a specific threat actor or root cause. The firm investigating, Edelson Lechtzin LLP, is a national class action practice with offices in Pennsylvania and California. Its June 12 release is the public disclosure vehicle of record; there is no investor filing to point to, because Plaza operates as a private, non-SEC-registered mortgage lender rather than a public issuer.
The roughly four-month window between detection on February 17, 2026 and public notice on June 12, 2026 falls inside the typical range for a complex mortgage-sector forensic investigation, but it is also a reporting angle of its own. State data-breach notification statutes generally require notice "in the most expedient time possible" and without unreasonable delay, which is a judgment call shaped by the scope of the forensic review. Readers who believe they were affected should not assume the four-month gap means the notification system failed; they should assume the notification is the moment their own clock starts.
For affected consumers, the protective steps that match this specific risk profile are different from the generic "monitor your credit" advice. A credit freeze at all three bureaus blocks new credit accounts from being opened in the borrower's name, including the home equity loan fraud the exposed data is designed to enable. Filing an IRS Identity Protection PIN request makes it harder for a criminal to file a fraudulent return using the victim's real SSN and wage history. Active review of mortgage servicing statements and the annual credit reports from Equifax, Experian, and TransUnion can catch a fraudulent HELOC or refinance that has already slipped through. Credit monitoring services, which are often offered as the headline remedy after breaches like this, will alert a victim to new accounts after they appear, which is the wrong direction for a risk surface that lets criminals open accounts that look like the victim's own.
The 137,976 affected count, the data element list, and the four-month notification timeline all originate from Plaza's confirmed breach notification as relayed by the investigating law firm rather than from independent reporting or a state attorney general record, so the figures should be read as Plaza's own characterization of the incident. What is independent is the structure of the risk: SSN plus mortgage data is a high-harm combination because it lets criminals pass as the borrower, not just the cardholder, and the protective response has to be designed for that distinction.