Personal data of 14.6 million customers compromised in a late 2023 incident
Mr. Cooper is currently embroiled in a second class-action lawsuit following a major data breach in late 2023 that affected 14.6 million customers.
The breach, which unfolded between late October and early November of 2023, led to the filing of the latest lawsuit on December 22 in a federal court in Dallas, accusing the Dallas-based company of negligence in protecting customer data.
Claimants are seeking monetary damages and improvements to Mr. Cooper’s security protocols, the Dallas Morning News reported.
Mr. Cooper services 4.3 million customers and manages an unpaid principal balance totaling $870 billion. It ranks as one of the top 20 mortgage originators in the US, funding $28 billion in loans in 2022.
Company representatives have declined to comment on the lawsuit. However, Mr. Cooper’s chairman and CEO, Jay Bray, issued an apology to customers before the filing of the new lawsuit.
“We take our role as a mortgage company very seriously, and there is nothing more important to us than maintaining our customers’ trust,” Bray said in a statement. “I want you to know how sorry I am for any concern or frustration this may have caused. Making the homeownership journey as smooth as possible is our top priority, and we intend to make this right for our customers.”
According to the lawsuit, the breach leaked sensitive customer information, including names, addresses, phone numbers, email addresses, Social Security numbers, dates of birth, and bank account numbers.
While Mr. Cooper has acknowledged that nearly all its current and former customers were affected, there have been no specific reports of identity theft or financial fraud directly linked to the breach. Still, the lawsuit argues that customers are at substantial risk of future harm, potentially for years, especially if the stolen information is sold on the dark web.
Sari Mazzurco, assistant professor of law at Southern Methodist University’s Dedman School of Law, noted the challenges of the class action suit due to the lack of reported identity theft cases.
“Courts have a problem with letting suits proceed when there hasn’t been actual concrete harm,” Mazzurco told Dallas Morning News. She suggested that while the suit might currently be weak, amendments could strengthen it by providing more concrete evidence of harm.
Read next: Cyberattacks on the rise with increased remote work
To mitigate the situation, Mr. Cooper has set aside $25 million for related expenses and is offering identity protection services to affected customers for two years. The company’s ongoing efforts include a forensic review, coordination with law enforcement, and addressing litigation.
“We are in the process of reaching out to customers with instructions on how to sign up for these complimentary services and how to contact us with questions,” the filing said.
This legal battle comes in the wake of a similar case involving Home Care Providers of Texas, which settled for $1.4 million after a data breach affecting over 124,000 people. With 14.6 million individuals affected in Mr. Cooper’s breach, the potential settlement could exceed $1 billion, according to Mazzurco.
“Because of the HCPT case and recent finalization of the settlement, I think it’s possible that it will give Mr. Cooper an indication that they need to follow toward the same path of settling,” she explained. “I’d imagine they want to settle and put this behind them quickly. It would probably be a smaller amount than the expense they’d incur litigating the case in court.”
As Mr. Cooper navigates this lawsuit, the focus will likely be on its cybersecurity practices and whether it adhered to industry best practices, a scrutiny that could set a precedent for how companies manage and protect customer data in the future.
Stay updated with the freshest mortgage news. Get exclusive interviews, breaking news, and industry events in your inbox, and always be the first to know by subscribing to our FREE daily newsletter.