Mortgage servicer Mr. Cooper, which suffered a significant cyber attack in late October, disclosed yesterday that malicious actors were able to access sensitive personal information belonging to “substantially all of our current and former customers.”
According to a filing with the Maine Attorney General’s office, more than 14 million people were affected by the breach. The attackers were able to access Social Security numbers, addresses, dates of birth and bank account numbers, among other information.
“There is nothing more important to us than maintaining our customers’ trust. I want you to know how sorry I am for any concern or frustration this may have caused,” said Jay Bray, chairman and CEO of Mr. Cooper Group, in a statement. “We intend to make this right for our customers.”
Mr. Cooper is the largest non-bank mortgage servicer in the country, according to its website, with a $937 billion portfolio and 4.3 million current customers. The October cyber attack resulted in significant disruption for borrowers, who were unable to make payments for nearly a week, and caused more chaos for those in the foreclosure process.
The company is providing affected customers with two years of credit monitoring, according to a statement provided to RISMedia. It is also still in the process of investigating the incident in coordination with law enforcement.
In the weeks after the cyber attack, eight separate class action lawsuits were filed against Mr. Cooper by current and former customers. Last week, plaintiffs in those lawsuits agreed to consolidate their claims, according to federal court filings.
One of those lawsuits accuses Mr. Cooper of negligence, breach of contract and invasion of privacy, among other violations of the law.
“Plaintiff anticipates spending considerable time and money on an ongoing basis to try to mitigate and address the harms caused by the Data Breach. In addition, Plaintiff will continue to be at present, imminent, and continued increased risk of identity theft and fraud for years to come,” the lawsuit claims.
In a letter sent out to affected customers and filed with the Maine Attorney General’s office last week, Mr. Cooper said they “have no evidence at this time that your information has been misused for identity theft or fraud as a result of this incident.”
The letter also recommended affected customers sign up for a fraud alert program, or implement a security freeze to prevent unauthorized use of personal information to solicit loans or other services.
