Mr. Cooper data breach victims reveal how they've been affected

Customers impacted by Mr. Cooper's data breach late last year continue to feel the aftermath nine months later. 

Following the cyber attack, which leaked the Social Security numbers of 14.7 million customers, some have reported being hit by a wave of spam and seeing credit cards opened in their names, a July filing in Texas federal court shows. In one instance, a customer had $25,000 withdrawn from her Charles Schwab account. 

An amended complaint for a consolidated class action suit, which now has 22 members, outlines in detail how each customer fared after their information was exposed in late October 2023. The filing also spells out exactly how the cyber attack was carried out by nefarious players.

Since the breach, Kay Pollard, a current customer of Mr. Cooper has been "bombarded" with unauthorized activity on her credit report, which required her to repeat the process of freezing some of her accounts. She —along with all 22 class members– also received a slew of spam emails, calls and text messages, which are believed to be affiliated with the breach.

Katy Ross, on the other hand, had $25,000 stolen from her Charles Schwab account by a bad actor in January 2024, a crime she linked to her personal identifiable information being compromised. After the theft, Ross reported the incident to the Federal Bureau of Investigation, but it remains unclear whether the stolen funds have been recovered.

Other plaintiffs, including Linda Hansen and Emily Burke, say, following the event in the fall, fraudsters have attempted to open up four and 11 credit cards in their name, respectively. Some of the credit cards were co-branded with Ulta Rewards Beauty, Victoria's Secret and Disney. In addition, bad actors attempted to purchase two iPhones and add a phone line using fraudulent credit cards under Burke's name.

Almost all of the class members, including Pollard, Gary Allen and Jose Ignacio Garrigo, have seen fraudulent credit card charges. And Allen notes that he was notified by Microsoft that perpetrators attempted to access his Microsoft account from an undisclosed location in China.

Mr. Cooper did not immediately respond to a request for comment. The lead attorney representing the class action could not be immediately reached.

An investigation by the plaintiffs also uncovered how Mr. Cooper was allegedly targeted in the first place. Mr. Cooper was subject to a two-stage attack, the filing claims. The first came from an initial access broker, which penetrated the company's system through multiple access points and exfiltrated customer PII, and then by a ransomware gang which sought and extracted a ransom. (The IAB does the difficult work of finding targets and gaining access into systems, allowing for ransomware groups to attack at scale because they are not wasting time securing a foothold in a target's network, the filing explains.)

IABs purportedly accessed Mr. Cooper's network using compromised credentials that connected to a ".dev" site (a development site) in India, a compromised public facing website, and a compromised IP telephone system, plaintiff's investigation found. Because the company did not properly encrypt customer PII and monitor its systems vulnerabilities, it failed to detect such malicious activity, the filing alleges.

As of June 9, cybercriminal Wockstar, likely the IAB behind the attack, was selling the source code allegedly used to perpetrate the breach for $50,000 in bitcoin, the complaint revealed. This could open up the door for other nefarious players to target companies in the same way.

The suit accuses the servicer and lender of failing to comply with regulations and industry standards to protect customer data and demands the mega company "implement and maintain reasonable security measures" such as having audits on its systems, engaging third-party and internal personnel to run automated security testing and purging PII not necessary for its provision of services. 

The complaint did not state damages the class is seeking. However, settlement talks surrounding Loandepot, which also suffered a massive cyber breach in January 2024, could provide some insight into a potential outcome.

The company accrued $27 million, "primarily as part of reaching an agreement in principle," in a lawsuit over its massive January hack, said David Hayes, chief financial officer, during the company's second quarter earnings call. That payment, and other non-operating expenses contributed to Loandepot's $65.9 million net loss in the second quarter. 

Close to 17 million former and current Loandepot customers had their Social Security numbers compromised during said data breach, the lender disclosed in a filing shared with the Office of the Maine Attorney General earlier this year.

A preliminary settlement of $2.42 million has been approved for a consolidated lawsuit related to a smaller data breach at Planet Home Lending. This breach, which occurred on November 15, 2023, affected nearly 300,000 customers.