Mr. Cooper, a major U.S. mortgage servicer, says an October data breach affected nearly 14.7 million people, including all its current and former customers.
An SEC filing disclosing the cybersecurity breach, updated on Dec. 15, 2023, states that a forensic review of the Oct. 30, 2023 incident determined “personal information relating to substantially all of our current and former customers was obtained from our systems during this incident.”
Mr. Cooper provided a data breach notification to the Office of the Maine Attorney General saying a total 14,690,284 people were affected by the breach. A written notice (PDF) sent to breach victims says names, addresses, phone numbers, Social Security numbers, dates of birth and bank account numbers were stolen.
The company says an unauthorized third party had access to some of its systems between Oct. 30 and Nov. 1. After detecting the intrusion on Oct. 31, Mr. Cooper shut down its systems, which resulted in a service outage between Nov. 1 and Nov. 4.
The company is offering all affected customers two years of free identity protection services through TransUnion’s IdentityForce. Victims are required to enroll for these services within 90 days of receiving the written breach notice.
Mr. Cooper breach scope increases triples
Mr. Cooper had about 4.3 million customers as of Sept. 30, 2023, according to its website. This suggests more than 10 million non-customers were caught in the crossfire, expanding the scope of the breach by more than three times.
The breach notice published through the Maine Attorney General’s office outlines victim categories beyond current customers. This includes former customers, current and former sister brand customers, customers of mortgage companies Mr. Cooper have been a servicing partner for and those who have applied for a home loan through the company.
Sister brands of Mr. Cooper include RightPatch Servicing, Rushmore Servicing, Greenlight Financial Services and Champion Mortgage. The notice also says those whose loans were acquired or serviced by Nationstar Mortgage LLC or Centex Home Equity may be affected. Mr. Cooper did business as Centex Home Equity starting in 2001 and as Nationstar Mortgage starting in 2006, according to SEC records.
It is unclear exactly how far back the leaked data goes. Mr. Cooper declined to provide further details to SC Media about the breach and the company’s security measures.
“We take our role as a mortgage company very seriously, and there is nothing more important to us than maintaining our customers’ trust,” Jay Bray, chairman and CEO of Mr. Cooper Group, said in a statement.
Long-term data retention a requirement – and a risk
Cybersecurity experts told SC Media that companies like Mr. Cooper frequently store former customers’ data for several years due to regulatory requirements.
“While this is not unusual, it does underscore the importance of having robust data protection and access governance strategies, especially for past customers’ data, which might not be actively monitored or deemed as critical as current customer data,” said Pathlock CEO Piyush Pandey.
Data masking and continuous controls monitoring are additional tools businesses should use to defend both current and former customers’ data, Pandey noted.
Despite a range of laws and guidelines instructing businesses to retain data for a certain number of years, companies can also take steps to ensure they are not keeping sensitive data longer than required, says Claude Mandy, chief evangelist of data security at Symmetry Systems.
“Increasingly our customers, with the help of our data centric monitoring, identify and proactively delete data beyond its retention lifecycle, and further reduce access to sensitive data in a manner commensurate with its actual usage and sensitivity," said Mandy. "In one example, we enabled a Fortune 100 organization on Google Cloud to delete over 25% of their cloud assets such as Projects, Identifiers and production data without any business impact.”
Patrick Tiquet, vice president of security and architecture at Keeper Security, recommends companies regularly audit their data inventory and employ appropriate data protection measures. This includes using privileged access management (PAM) platforms and factoring cybersecurity into the selection of third-party vendors.
“The most effective method for minimizing sprawl [when] an attack does occur is by investing in prevention with a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor’s access,” Tiquet said.
The Mortgage Bankers Association, an organization that represents more than 2,200 companies in the real estate finance industry, offers information security guidelines with similar recommendations.
“The cost of keeping data needs to be considered in conjunction with the legal requirements for retaining it,” the guidance states. “Access control to limit who can access data in each location will tighten security. Only a clear inventory of the data allows for these controls and management to be put in place effectively and efficiently.”