Major US mortgage lender sustains cyberattack.
By Tim Nodar, CyberWire senior staff writer
Nov 6, 2023

Mr. Cooper shuts down access to its systems as a precautionary measure.

Major US mortgage lender sustains cyberattack.

Mr. Cooper (previously Nationstar Mortgage LLC), the largest mortgage lending company in the US, has sustained a cyberattack that brought down its IT systems, BleepingComputer reports. The incident affected the company’s online payment portal; the company noted, “Customers trying to make payments will not incur fees or any negative impacts as we work to fix this issue.”

The company said, “On October 31, Mr. Cooper became the target of a cyber security incident and took immediate steps to lock down our systems in order to keep your data safe. Our systems remain locked down, and we are working on a resolution as quickly as possible.” It wasn't immediately clear whether any customer data had been compromised. The company added, “We are actively investigating this event to determine if any data has been compromised. If customers are impacted, they will be notified and provided with identity protection services.”

Precautionary shut-down.

Tamara Kirchleitner, Senior Intelligence Operations Analyst at Centripetal sees the attack and the shutdown as a cautionary tale. “This recent cybersecurity incident is a reminder that even large and well-established companies are vulnerable to cyberattacks," she said. “Mr. Cooper quickly shut down systems as a precautionary measure, which is crucial in the event of a cyberattack. When incidents occur, it's important to have protocols in place to quickly react and contain the threat to protect critical systems and data. While the company has not yet disclosed the nature of the attack or the full extent of the damage, it's important to note that mortgage companies hold a wealth of sensitive customer data, including social security numbers and bank account information. If this data was compromised, it could have serious consequences for customers. Customers should monitor their credit reports for any unauthorized activity and look out for signs of identity theft and fraud.”

An attractive target hit during a holiday.

Halloween is a second-tier holiday (it's nobody's day off, for example) but this incident did coincide with all the customary distractions of the day. Erich Kron, Security Awareness Advocate at KnowBe4, commented, “The timing of this attack is certainly interesting, striking when many people are celebrating the Halloween holiday with family and friends. Striking during a holiday time is not an uncommon tactic and can often catch organizations short staffed due to employees taking time off, or making organizations slower to respond due to employees being tougher to reach during these celebratory times. It will be interesting to see if this leads to a loss of data in addition to the system impact, as most modern ransomware groups also exfiltrate data with the intent to use the threat of public disclosure to add leverage to their ransom demands.”

Financial services are always attractive targets. Emily Phelps, Director at Cyware, wrote, “Cyberattacks against critical financial infrastructure, like that experienced by Mr. Cooper, underscore the importance of robust cybersecurity measures and constant vigilance. While it's reassuring to know customers won't face financial repercussions for late payments due to the outage, the potential exposure of customer data remains a significant concern. Continuous monitoring, timely alerts, and an educated customer base are crucial components in the fight against such threats.”

Perspective for investors.

(Added 4:00 PM ET, November 7th, 2023.) We received emailed comments from Moody's Investors Service on Mr. Cooper's cyber incident. “The cyberattack against Mr. Cooper, which blocked millions of customers from making payments and processing mortgage transactions, is credit negative," said Stephen Lynch, Vice President – Senior Credit Officer for Moody’s Investors Service. "The full impact of the event will depend on duration of the disruptions, ensuing potential reputational damage, and magnitude of the breach.”

“We are closely monitoring the incident – which prevented processing of borrower payments and activity reporting to investors – and the impact it may have on Mr. Cooper’s outstanding Servicer Quality Assessments and approximately 450 RMBS transactions serviced by Mr. Cooper,” added William Fricke, Vice President – Senior Credit Officer for Moody’s Investors Service.