Judge rules Mr. Cooper data breach borrowers have standing

A Texas federal judge overseeing the data breach suit against Mr. Cooper refused to dismiss the case, as was previously requested by the mortgage servicer.

In a recently published order, U.S. District Judge David Godbey, wrote that the court finds the plaintiffs have standing to bring some claims against Mr. Cooper, though others have been dismissed, or deferred until class certification.

One of the most notable developments in the case is the judge's ruling that plaintiffs have sufficiently alleged an injury stemming from Mr. Cooper's data breach in October 2023, which compromised the personal identifiable information of more than 14 million customers. 

The order references the alleged impacts on borrowers following the cyberattack, including claims of stolen funds from bank accounts, fraudulent charges on credit and debit cards, and attempts to open credit card accounts in borrowers' names — all cited to show that the borrowers have standing.

"Plaintiffs have sufficiently alleged that defendants failed to adequately prepare for a cyberattack and secure their PII," the judge wrote July 22. "The court finds that plaintiffs have met their pleading standard for causation."

However, the federal Texas court has moved to dismiss parts of the class action suit, including claims seeking injunctive relief against future attacks, unjust enrichment, and other claims.

In the ruling, the judge stated that the plaintiffs failed to show that Mr. Cooper's privacy policy is an enforceable contract, rather than simply a description of the company's internal procedures. The court also threw out invasion of privacy claims, noting that the plaintiffs failed to prove that Mr. Cooper intentionally invaded their privacy as a result of the data breach.

Mr. Cooper did not immediately respond to a request for comment.

The aftermath of the data breach

A number of suits were filed against Mr. Cooper after its data breach in late 2023. 

Close to twenty class action suits pending against the lender and servicer were combined into a single case in mid-January 2024 under plaintiff Jennifer Cabezas, who was the first to bring a motion against the company after it was hit by the data breach in October. 

During the course of discovery, Mr. Cooper revealed that it paid an eight-figure ransom to Alphv/Black Cat "in exchange for decryption keys and an unverifiable promise to delete stolen personal identifiable information." 

The plaintiffs have claimed in the past that the hackers who stole their personally identifiable information probably kept it and did not delete it. The loan servicer says that claim is not true.

Throughout the litigation, the mortgage servicer, soon to be acquired by Rocket Companies, has argued that customers have not shown sufficient evidence of harm from the cyber breach that occurred in late 2023. They also say that plaintiffs have alleged "no recognized injury, only a speculative concern of future harm after receipt of a data breach notification."

Meanwhile, Mr. Cooper filed a suit in November 2024 against National Union Fire Insurance Company and Berkshire Hathaway Specialty Insurance, two of its insurers, which "improperly denied [it] coverage" to cover losses caused by the cyber attack.

Both National Union Fire Insurance Company and Berkshire responded in separate filings in April claiming that Mr. Cooper is not entitled to any relief. The case is still pending as of Aug. 4.