Mr. Cooper Responsible for 'Massive and Preventable' Data Breach: Class Action
Jane Hart aims to hold Mr. Cooper Group mortgage company and parent Nationstar Mortgage accountable for the harms it caused, and will continue to cause, to nearly 15 million individuals affected by a “massive and preventable” Oct. 31 data breach, said the Tennessee resident’s class action Friday (docket 3:24-cv-00093) in U.S. District Court for Northern Texas in Dallas.
Cybercriminals infiltrated Mr. Cooper’s “inadequately protected network” and accessed and “exfiltrated highly sensitive, unencrypted” personally identifiable information (PII) belonging to Hart and class members, the complaint said. Mr. Cooper notified state attorneys general and “many” class members "on or about" Dec. 13 in a notice letter, it said.
The notice letter said Mr. Cooper became aware of unauthorized access to its computer network at the end of October and that a subsequent investigation confirmed “unauthorized cybercriminals” gained access to the network and stole files from certain company systems, the complaint said. The investigation determined that Hart’s and class members’ PII were among the data “obtained” by the unauthorized third party, it said.
Mr. Cooper “disregarded the rights” of Hart and class members by “intentionally, willfully, recklessly, and/or negligently failing to take and implement adequate and reasonable measures” to ensure that Hart’s and class members' PII was safeguarded, the complaint said. It also failed to take available steps to prevent an unauthorized disclosure of data, and failed to follow required protocols, policies and procedures regarding the encryption of data, resulting in the compromise of Hart’s data, it said.
As a result of the data breach, Hart and class members suffered "ascertainable losses in the form of the loss of the benefit of their bargain," out-of-pocket expenses, and the value of their time reasonably incurred to remedy or mitigate the effects of the attack and the substantial and imminent risk of identity theft, the complaint said.
Mr. Cooper left “significant vulnerabilities” in its systems for cybercriminals to “exploit and gain access to consumers’ PII,” the complaint said. Its infiltrated network “was not protected by sufficient multi-layer data security technologies or effective firewalls,” the complaint said. The network allowed to store plaintiff’s PII “did not have sufficiently effective endpoint protection,” it said. Had the PII been properly encrypted, “the data thieves would have exfiltrated only unintelligible data,” the complaint said.
The notice letter gave no further information about the breach and “only recommends how victims can place a fraud alert or credit freeze on their account and how to sign up for the limited and abbreviated identity monitoring services” the defendant offered in response to the breach, the complaint said. The letter didn’t explain how the breach occurred, what steps the company has taken to change its data security practices or whether plaintiff’s and class members’ PII “remains in the possession of criminals,” it said.
The letter said Mr. Cooper immediately took steps to identify and remediate the breach, including "locking down our systems, changing account passwords, and restoring our systems." To "help relieve concerns," the company is providing affected customers with single credit bureau monitoring, credit report and credit score services at no charge for 24 months, the letter said.
Hart believes the cybercriminals will release all stolen information onto the dark web for “access, sale and download following the deadline of the ransom demand to Defendants,” said the complaint. Stolen information includes names, addresses, phone numbers, Social Security numbers, dates of birth and bank account numbers, it said.
Plaintiff and class members now face “a lifetime of constant surveillance of their financial and personal records, credit monitoring, and loss of rights,” said the complaint. Mr. Cooper has acknowledged the risk and harm caused to customers as a result of the data breach but to date has only offered “abbreviated, non-automatic credit monitoring services,” it said. The “limited credit monitoring is inadequate to protect” Hart and class members from “the threats they face for years to come,” it said. The defendant “put the burden squarely on” Hart and class members “to enroll in the inadequate monitoring services,” it said.
Hart asserts claims of negligence, breach of implied contract and unjust enrichment, the complaint said. She seeks orders requiring Mr. Cooper to implement a comprehensive information security program and to encrypt all data collected through the course of business in accordance with regulations. She also seeks awards of actual, consequential and nominal damages; attorneys’ fees and legal costs; and prejudgment interest. Mr. Cooper doesn't comment on pending litigation, a spokesperson emailed Tuesday.