After over a month since the incident was first reported, Mr. Cooper confirmed the majority of its current and past customers had their personal identifiable information compromised during a
A forensic review has determined that PII " relating to substantially all of our current and former customers was obtained from our systems," the servicer said in a filing with the Securities and Exchange Commission Friday. It currently has an estimated 4.3 million customers.
To compensate current and former borrowers for the breach, Mr. Cooper is footing the bill for two years of complimentary identity protection services, including credit monitoring. The services will be provided by Cyberscout through Identity Force, a TransUnion company specializing in fraud assistance and remediation services.
Covering the cost of identity monitoring services will have a significant impact on Mr. Cooper's bottom line, pushing vendor related expenses in the fourth quarter to $25 million (from $5 to $10 million), per the company's SEC filing.
Notification letters will be mailed to customers containing enrollment instructions for the free identity protection services. Mr. Cooper has also set up a call center supported by TransUnion to answer borrower questions.
"We take our role as a mortgage company very seriously, and there is nothing more important to us than maintaining our customers' trust. I want you to know how sorry I am for any concern or frustration this may have caused," Jay Bray, CEO of Mr. Cooper Group, said in a written statement Friday. "Making the homeownership journey as smooth as possible is our top priority, and we intend to make this right for our customers."
Many lawsuits have been filed in reaction to the cybersecurity incident. At least
One of the suits, filed by Jerold Short and Carlette Short in a Texas federal court, claims Mr. Cooper's communication throughout the incident "raise[d] more questions than they answered" because the company was not transparent about which systems were affected, what information was accessed and how many borrowers were impacted.
On Nov. 2, customers were told that a cyberattack occurred on Oct. 31 and that Mr.Cooper locked down its systems to keep data safe. A week later, the company published a notice first relaying that personal customer data was not breached and then on Nov. 15, Mr. Cooper "removed that language from its online notice, calling into question whether customer financial information was accessible from Mr. Cooper's systems," the plaintiffs said.
The suit claims Mr. Cooper in its communications also omitted when the breach began, disclosing only that it discovered the unauthorized access on Oct. 31, which could point to the breach occurring earlier than what was first disclosed.
