Mr. Cooper faces six class action suits after cyberattack

Two more class action suits have been filed against Mr. Cooper regarding its recent cybersecurity incident, bringing the tally of related pending litigation to six cases.

The cyberattack, which shut down some of the servicer's operations in late October, resulted in a leak of personal identifiable information. How many of Mr. Cooper's estimated 4.3 million customers have been impacted by the breach remains unknown. 

To date, all of the lawsuits, including the most recent ones, filed Nov. 20 and Nov. 22 in a Texas federal court, accuse the servicer of failing to secure and safeguard customers' personal identifiable information and neglecting to provide timely and adequate notice that personal data has been compromised.

The most recent class action, filed by Jerold Short and Carlette Short, claims Mr. Cooper's communication throughout the incident "raise[d] more questions than they answered" because the company was not transparent about which systems were affected, what information was accessed and how many borrowers were impacted.

As a result, this "prevented millions of current and former customers of Mr. Cooper from taking meaningful actions to protect themselves in the face of serious and imminent harm," the court documents said.

On Nov. 2, customers were told that a cyberattack occurred on Oct. 31 and that Mr.Cooper locked down its systems to keep data safe. A week later, the company published a notice first relaying that personal customer data was not breached and then on Nov. 15, Mr. Cooper "removed that language from its online notice, calling into question whether customer financial information was accessible from Mr. Cooper's systems," the plaintiffs said.

The suit claims Mr. Cooper in its communications also omitted when the breach began, disclosing only that it discovered the unauthorized access on Oct. 31, which could point to the breach occurring earlier than what was first disclosed.

The servicer's alleged fumble in protecting customers' information has exposed plaintiffs "to a significant and continuing risk of identity theft, financial fraud, and other identity-related fraud indefinitely."

Mr. Cooper also did not comply with a number of federal rules and recommendations, including the Federal Trade Commission's Safeguards Rule, which requires financial institutions to protect the security, confidentiality, and integrity of customer information, the plaintiffs claim.

All six class action suits are asking for the servicer to implement and maintain reasonable security measures to prevent similar outcomes from future cyberattacks.

Mr. Cooper declined to provide commentary regarding the pending lawsuits.

According to a previous announcement, all of the servicer's systems have been rebooted and are now in working order. The incident itself will likely cost the company an additional $5 to $10 million of vendor costs in the fourth quarter, Keefe, Bruyette & Woods, Inc. predicts.