Mr. Cooper Hacking Incident Affects Data of 14.7 Million – Source: www.govinfosecurity.com

Finance & Banking
,
Incident & Breach Response
,
Industry Specific

Data Stolen From Mortgage Lender Includes Bank Account Numbers

David Perera (@daveperera) •
December 18, 2023    

A late October hacking incident at mortgage lender Mr. Cooper affected 14.7 million individuals, the Texas company disclosed Friday.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

The incident triggered a four-day shutdown of corporate systems and a suspension in lending. The company manages approximately $937 billion in loans and more than 4.3 million customers. In breach notifications being sent to affected individuals, the non-bank lender said stolen information includes names, Social Security numbers, birthdates and bank account numbers.

Hackers gained access on Oct. 30 and were ejected on Nov. 1.

In a filing with federal regulators, Mr. Cooper estimated the incident will cost $25 million, up from a previous estimate of between $5 million to $10 million. The incident has not affected expectations for new loan income or revenue from servicing existing loans, it said.

Affected individuals include anyone with a mortgage serviced currently or previously by Mr. Cooper or one of its sister brands: RightPath Servicing, Rushmore Servicing, Greenlight Financial Services, and Champion Mortgage. Anyone who applied for a home loan is also swept up in the attack.

The incident came just as U.S. federal regulators have stepped up requirements for publicly traded companies and the non-banking financial sector entities to disclose security incidents. As of Monday, all publicly traded companies excepting small companies – who have an extra 180 days to comply – must disclose most “material cybersecurity incidents” within four business days of determining materiality (see: SEC Votes to Require Material Incident Disclosure in 4 Days).

The Federal Trade Commission in October imposed a new reporting mandate for nonbanking financial institutions requiring them to report a data breach to the agency anytime a third party acquires without authorization the unencrypted records of at least 500 consumers. The mandate becomes effective on May 13 (see: FTC Expands Financial Data Breach Reporting Requirements).