Mr. Cooper sues its insurance providers over cyber breach

Mr. Cooper is accusing its insurers of not indemnifying it for losses caused by a cyber attack that hit the nonbank's systems in late 2023 and shut operations down for almost a week. 

Litigation filed by the company points to a total of $30 million in losses that have yet to be covered by its insurance partners. 

This sum includes the cost "to restore its computer systems…which were a direct result of the criminal actions of the cyber hackers," litigation filed by Mr. Cooper in Texas federal court said. 

The company also reveals in its suit that it paid a ransom to the hacker to regain full access to its systems.

Mr. Cooper's insurers, which it alleges "improperly denied coverage" are National Union Fire Insurance Company and Berkshire Hathaway Specialty Insurance. 

The nonbank is suing for breach of contract, violation of both Texas insurance code and common law duty of good fair and fair dealing. National Union could not immediately be reached on Monday. Berkshire did not respond to a request for comment.

The nonbank's complaint filed Nov. 13 says that "at its most challenging time when Mr. Cooper expected support…National Union has stood out for its reprehensible conduct." 

"It has reneged on its clearly bargained-for coverage and, worse, strung Mr. Cooper along for nearly a year with excessive information requests, all the while refusing to make any payments required towards Mr. Cooper's substantial and direct losses," the litigation alleges.

Out of almost $30 million, National Union agreed to cover $300,000, a denial of nearly 99% of Mr. Cooper's losses, documents show.

Berkshire, meanwhile, has taken no coverage position in response to the claim, and in so doing has also delayed payments required towards Mr. Cooper's substantial losses, litigation alleges.

Mr. Cooper purchased a tower of insurance for hybrid financial institutions bond/crime computer coverage applicable to the period of July 11, 2023 to July 11, 2024, it said in its complaint. The primary insurer of this tower is National Union and the first excess insurer is Berkshire.

The nonbank servicer and lender is seeking an awarding payment of damages in an amount no less than $15 million from both insurers, the complaint said.

The cyber attack, which leaked the Social Security numbers of 14.7 million customers, has had long echoing ramifications for Mr. Cooper. The company has had to foot the bill for two years of complimentary identity-protection services, including credit monitoring, for borrowers. 

Additionally, a class action lawsuit has been lodged by borrowers impacted by the breach. An amended complaint for the consolidated class action suit, which now has 22 members, outlines in detail how each customer fared after their information was exposed in late October 2023. 

Since the breach, Kay Pollard, a current customer of Mr. Cooper has been "bombarded" with unauthorized activity on her credit report, which required her to repeat the process of freezing some of her accounts, she said. She —along with all 22 class members – also received a slew of spam emails, calls and text messages, which are believed to be affiliated with the breach.

Katy Ross, on the other hand, had $25,000 stolen from her Charles Schwab account by a bad actor in January 2024, a crime she linked to her personal identifiable information being compromised. After the theft, Ross reported the incident to the Federal Bureau of Investigation, but it remains unclear whether the stolen funds have been recovered.

Other plaintiffs, including Linda Hansen and Emily Burke, say, following the event in the fall, fraudsters have attempted to open up four and 11 credit cards in their name, respectively.

An investigation by the plaintiffs also uncovered how Mr. Cooper may have been targeted in the first place. Mr. Cooper was subject to a two-stage attack, the filing claims. The first came from an initial access broker, which penetrated the company's system through multiple access points and exfiltrated customer PII. Second, the company was hit by a ransomware gang that sought and extracted a ransom. (The IAB does the difficult work of finding targets and gaining access into systems, allowing for ransomware groups to attack at scale because they are not wasting time securing a foothold in a target's network, the filing explains.)

Mr. Cooper in turn disputes claims that the ransomware attack is linked with customers having their personal identifiable information leaked on the dark web, as is alleged in a class action against the company.

"There is absolutely no evidence that any of the personal identifiable information subject to the ransom attack is on the dark web," Mr. Cooper wrote in a filing dated Aug. 20. "Plaintiffs have not alleged any Article III injury sufficient to give them standing to state a claim."

The case is still pending as of mid-November.

For reprint and licensing requests for this article, click here.
Industry News Law and legal issues Cyber security Servicing
MORE FROM NATIONAL MORTGAGE NEWS