The verdict is in — the old way of doing business is over. Join us at Inman Connect New York Jan. 23-25, when together we’ll conquer today’s market challenges and prepare for tomorrow’s opportunities. Defy the market and bet big on your future.
After a crippling cyberattack at loan servicing giant Mr. Cooper, the company is now facing a slew of new class action lawsuits accusing it of negligence.
In total, consumers have filed five different lawsuits against Mr. Cooper this month. The first suit was filed on Nov. 8, the second on Nov. 10, and three more on Nov. 14. All of the suits have to do with what the company described on its website as a “cyber security incident” that it discovered on Oct. 31. The company responded to the incident by locking down its computer systems.
The lockdown continued until Nov. 4, during which time many customers were unable to make payments or access their accounts.
Though the extent of the damage from the attack wasn’t immediately clear, the company did say in a report to investors “that certain customer data was exposed, however it will require additional analysis to validate this finding and quantify the scope and type of any such exposure.”
The various lawsuits accuse Mr. Cooper of not adequately protecting the data it handles. The Nov. 8 suit, for example, claims the company failed “to even encrypt or redact” consumers’ “highly sensitive information.”
“This unencrypted, unredacted [personal identifiable information] was compromised due to defendant’s negligent and/or careless acts and omissions and its utter failure to protect customers’ sensitive data,” the complaint in the case states.
The Nov. 10 case makes a similar claim, arguing that Mr. Cooper “failed to comply with industry standards to protect information in its systems that contain [personal identifiable information], and has failed to provide timely, accurate, and adequate notice to Plaintiff and other Class Members that their PII had been compromised.”
The lawsuits also raise a number of other issues, including that impacted Mr. Cooper customers still don’t know the extent of the data breach, and the claim that the company failed to take precautions it should have known about.
As a loan servicer, Mr. Cooper collects monthly payments from homeowners on behalf of lenders and investors, servicing 4.29 million mortgages totaling $937 billion as of Sept. 30.
Consumers from various different states filed the suits, but they are all being litigated in the United States District Court for the Northern District of Texas — which is where Mr. Cooper is headquartered. The various suits are seeking class action status for Mr. Cooper customers who were impacted by the cyber attack.
The Real Deal reported Tuesday on some, but not all, of the suits. The Nov. 8 suit is embedded below. The Nov. 10 suit is available here, while the Nov. 14 suits are available here, here and here.
Mr. Cooper did not immediately respond to Inman’s request for comment on the new lawsuits.
However, in the days after the hack, it announced that it “does not store banking information related to mortgage payments on our systems. This information is hosted with a third-party provider and, based on the information we have to date, we do not believe it was affected by this incident. As a result, we do not believe that any of our customers’ banking information related to mortgage payments was impacted.”
Mr. Cooper also said after the incident that it expects to rack up $5 million to $10 million in additional vendor costs as a result of the cyberattack, and that the precautionary shutdown of its systems will have an additional impact on fourth-quarter revenue and expenses.
All of the lawsuits ask for a jury trial. Most also ask for undisclosed monetary damages, as well as for a judge to order Mr. Cooper to fix the problems that allegedly led to the data breach. However, one of the suits also specifically asks for $5 million, in addition to other damages.
Read the complaint in the Nov. 8 suit here: