– Mr. Cooper Group faced four consumer class-action lawsuits after a cyberattack compromised customer information and led to the shutdown of certain systems.
– The company disclosed the cyberattack on October 31, stating that an unauthorized third party accessed its technology systems and customer data.
– Customers claim that Mr. Cooper failed to comply with industry standards to protect personally identifiable information.
– Mr. Cooper had 4.3 million customers and $937 billion in UPB in its servicing portfolio in Q3.
– Customers face an increased risk of identity theft and have spent significant time and money to protect themselves due to the company’s failures.
– Plaintiffs criticized the company’s delayed and insufficient notification about the incident, as well as the potential long-term effects of the breach.
– Customers seek full disclosure of the compromised information and the adoption of better security practices by Mr. Cooper.
– The company has partially resumed operations, with phone systems and the website running again.
– Mr. Cooper will provide affected customers with complimentary credit monitoring services.
– The company anticipates additional vendor costs of $5 to $10 million in Q4, but the full extent of remediation and legal expenses is still unknown.
Mr. Cooper Group became the target of at least four consumer class-action lawsuits after disclosing a cyberattack at the end of October when customer information was compromised and the company shut down certain systems.
On Oct. 31, the Dallas-based servicer and lender said it had experienced a cybersecurity incident with an unauthorized third party accessing certain portions of its technology systems and customer data. The firm informed law enforcement, regulatory authorities and other stakeholders.
In the lawsuits filed in a district court in Texas, customers claim that the defendant “failed to comply with industry standards to protect information in its systems that contain” personally identifiable information of millions of people.
Mr. Cooper had 4.3 million customers in its servicing portfolio in the third quarter, consisting of $937 billion in UPB at the end of September.
Customers claim that, as a result of the attack, they are “in the hands of criminals” and face an “increased risk of identity theft.” Ultimately, they have spent and will continue to spend “significant time and money” to protect themselves due to Mr. Cooper’s failures.
A representative for Mr. Cooper did not respond to a request for comment.
Plaintiffs complained that the company notified them about the incident days after discovering the data breach and the notice lacked information, including details of the cyberattack and customer recommendations.
They also complained about emotional stress since, once stolen, fraudulent use of that information and damage to victims may continue for years. In addition, fraudulent activity might not show up for six to 12 months or even longer.
Customers seek, among other things, that the “company fully and accurately disclose the nature of the information that has been compromised and to adopt reasonably sufficient security practices and safeguards to prevent incidents like this in the future.”
Mr. Cooper is accused of negligence, breach of implied contract and unjust enrichment, among other claims.
“We are continuing to investigate precisely what information was exposed. In the coming weeks, we will mail notices to any affected customer and provide them with complimentary credit monitoring services,” Mr. Cooper said on its website.
The company estimates fourth-quarter earnings will include $5 to $10 million in additional vendor costs. At this time, however, it’s not possible to quantify the full extent of remediation and legal expenses due to the cyberattack.
Property Chomp’s Take:
Have you heard about the recent cyberattack on Mr. Cooper Group? This Dallas-based servicer and lender disclosed at the end of October that they experienced a cybersecurity incident, where an unauthorized third party accessed certain portions of their technology systems and customer data. As a result, the company has become the target of multiple consumer class-action lawsuits.
In these lawsuits, customers claim that Mr. Cooper failed to comply with industry standards to protect their personally identifiable information, leaving millions of people at risk of identity theft. With 4.3 million customers in its servicing portfolio, the potential impact of this data breach is significant.
The plaintiffs argue that they are now “in the hands of criminals” and face an increased risk of identity theft. They have also had to spend a significant amount of time and money to protect themselves due to Mr. Cooper’s alleged failures. The emotional stress caused by this breach is also a concern, as the fraudulent use of stolen information could continue for years without detection.
One of the main complaints from customers is that Mr. Cooper notified them about the incident several days after discovering the data breach. The notice they received lacked crucial information, such as details about the cyberattack and recommended actions for customers to take. This lack of transparency has only added to the frustration and anxiety experienced by the affected individuals.
The customers are seeking various remedies, including a full and accurate disclosure of the compromised information and the implementation of better security practices and safeguards to prevent similar incidents in the future. Mr. Cooper is facing allegations of negligence, breach of implied contract, and unjust enrichment, among other claims.
Recently, Mr. Cooper announced that it has partially resumed its operations, with phone systems and its website now running again. The company is actively investigating the extent of the information exposed and plans to send notices to affected customers in the coming weeks. They will also provide complimentary credit monitoring services to help mitigate the risk of identity theft.
However, the full extent of the financial impact of this cyberattack is yet to be determined. Mr. Cooper estimates that fourth-quarter earnings will include an additional $5 to $10 million in vendor costs. The costs associated with remediation and legal expenses are still uncertain.
As we await further developments in this case, it serves as a reminder of the importance of robust cybersecurity measures. Companies must prioritize the protection of customer data and ensure that they are taking proactive steps to prevent cyberattacks. The consequences of such breaches can be far-reaching, affecting not only the company’s reputation but also the lives and financial security of their customers.