Mr. Cooper denies link between cyber attack and PII on dark web

Mr. Cooper is disputing claims that a ransomware attack last October is linked with customers having their personal identifiable information leaked on the dark web, as is alleged in a class action against the company.

"There is absolutely no evidence that any of the personal identifiable information subject to the ransom attack is on the dark web," Mr. Cooper wrote in a filing dated Aug. 20. "Plaintiffs have not alleged any Article III injury sufficient to give them standing to state a claim."

Mr. Cooper will be filing a motion to dismiss the class action by Sept.13, documents show. 

A month prior to this filing, plaintiffs submitted a 178-page consolidated amended complaint to a Texas federal court outlining how each member was impacted following the cyber breach. The lawsuit accuses Mr. Cooper of being negligent in protecting customer PII.

The mortgage lender and servicer in turn claims it has "well-designed cybersecurity practices and procedures to protect consumer PII" and that it "quickly detected the attack and engaged its incident response protocols to successfully mitiage any possible impact on consumers."

Mr. Cooper declined to comment on pending litigation. An attorney representing the plaintiffs could not be reached for comment.

The Texas-based company's cyber breach, which leaked the social security numbers of 14.7 million customers, has had ongoing consequences for those impacted, plaintiffs claim.

Some of the class members reported being hit by a wave of spam and seeing credit cards opened in their names, a July filing in Texas federal court shows. In one instance, a customer said they had $25,000 withdrawn from a Charles Schwab account. These incidents are proof of injury to Mr. Cooper customers and will help members prevail the company's future motion to dismiss, plaintiffs in the suit claim.

However, Mr. Cooper says plaintiffs "allege no recognized injury, only a speculative concern of future harm after receipt of a data breach notification."

"Moreover, for many named plaintiffs, the alleged injury or harm has no coherent connection to the data allegedly stolen from Mr. Cooper. This of course makes sense because in ransomware attacks the objective is to extract money from the company in exchange for not releasing any consumer data," the company wrote in a joint submission with the plaintiffs outlining discovery matters.

It is uncertain whether Mr. Cooper actually paid a ransom to stop perpetrators from disseminating stolen information. 

Despite the fact that Mr. Cooper is set on filing a motion to dismiss the suit and does not think "that plaintiffs are entitled to any relief in this action," the filing shows it is open to settlement discussions "at the appropriate time."

Mr. Cooper has incurred expenses of at least $27 million related to the incident, it said this year. 

The amended complaint filed by plaintiffs in July claims Mr. Cooper was subject to a two-stage attack that resulted in the cyber breach.

The first came from an initial access broker, which penetrated the company's system through multiple access points and exfiltrated customer PII, and then by a ransomware gang which sought and extracted a ransom. 

As of June 9, cybercriminal Wockstar, likely behind the attack, was selling the source code allegedly used to perpetrate the breach for $50,000 in bitcoin, the complaint revealed. This could open up the door for other nefarious players to target companies in the same way.

The suit accuses the servicer and lender of failing to comply with regulations and industry standards to protect customer data and demands the mega company "implement and maintain reasonable security measures" such as having audits on its systems, engaging third-party and internal personnel to run automated security testing and purging PII not necessary for its provision of services.

For reprint and licensing requests for this article, click here.
Servicing Cyber attacks Cyber security Technology Mortgage technology
MORE FROM AMERICAN BANKER