Mr. Cooper Group became the target of at least four consumer class-action lawsuits after disclosing a cyberattack at the end of October when customer information was compromised and the company shut down certain systems.
On Oct. 31, the Dallas-based servicer and lender said it had experienced a cybersecurity incident with an unauthorized third party accessing certain portions of its technology systems and customer data. The firm informed law enforcement, regulatory authorities and other stakeholders.
In the lawsuits filed in a district court in Texas, customers claim that the defendant “failed to comply with industry standards to protect information in its systems that contain” personally identifiable information of millions of people.
Mr. Cooper had 4.3 million customers in its servicing portfolio in the third quarter, consisting of $937 billion in UPB at the end of September.
Customers claim that, as a result of the attack, they are “in the hands of criminals” and face an “increased risk of identity theft.” Ultimately, they have spent and will continue to spend “significant time and money” to protect themselves due to Mr. Cooper’s failures.
A representative for Mr. Cooper did not respond to a request for comment.
Plaintiffs complained that the company notified them about the incident days after discovering the data breach and the notice lacked information, including details of the cyberattack and customer recommendations.
They also complained about emotional stress since, once stolen, fraudulent use of that information and damage to victims may continue for years. In addition, fraudulent activity might not show up for six to 12 months or even longer.
Customers seek, among other things, that the “company fully and accurately disclose the nature of the information that has been compromised and to adopt reasonably sufficient security practices and safeguards to prevent incidents like this in the future.”
Mr. Cooper is accused of negligence, breach of implied contract and unjust enrichment, among other claims.
On Thursday, Mr. Cooper announced it had partially resumed its operations. After that, the company said phone systems and its website were running again.
“We are continuing to investigate precisely what information was exposed. In the coming weeks, we will mail notices to any affected customer and provide them with complimentary credit monitoring services,” Mr. Cooper said on its website.
The company estimates fourth-quarter earnings will include $5 to $10 million in additional vendor costs. At this time, however, it’s not possible to quantify the full extent of remediation and legal expenses due to the cyberattack.