Finance & Banking , Incident & Breach Response , Industry Specific
Mr. Cooper Hacking Incident Affects Data of 14.7 Million
Data Stolen From Mortgage Lender Includes Bank Account NumbersA late October hacking incident at mortgage lender Mr. Cooper affected 14.7 million individuals, the Texas company disclosed Friday.
See Also: Securing the Cloud for Financial Services
The incident triggered a four-day shutdown of corporate systems and a suspension in lending. The company manages approximately $937 billion in loans and more than 4.3 million customers. In breach notifications being sent to affected individuals, the non-bank lender said stolen information includes names, Social Security numbers, birthdates and bank account numbers.
Hackers gained access on Oct. 30 and were ejected on Nov. 1.
In a filing with federal regulators, Mr. Cooper estimated the incident will cost $25 million, up from a previous estimate of between $5 million to $10 million. The incident has not affected expectations for new loan income or revenue from servicing existing loans, it said.
Affected individuals include anyone with a mortgage serviced currently or previously by Mr. Cooper or one of its sister brands: RightPath Servicing, Rushmore Servicing, Greenlight Financial Services, and Champion Mortgage. Anyone who applied for a home loan is also swept up in the attack.
The incident came just as U.S. federal regulators have stepped up requirements for publicly traded companies and the non-banking financial sector entities to disclose security incidents. As of Monday, all publicly traded companies excepting small companies - who have an extra 180 days to comply - must disclose most "material cybersecurity incidents" within four business days of determining materiality (see: SEC Votes to Require Material Incident Disclosure in 4 Days).
The Federal Trade Commission in October imposed a new reporting mandate for nonbank financial institutions requiring them to report a data breach to the agency anytime a third party acquires without authorization the unencrypted records of at least 500 consumers. The mandate becomes effective on May 13 (see: FTC Expands Financial Data Breach Reporting Requirements).