Remember that Halloween cyberattack on Mr. Cooper? Hackers got customers’ names and birth dates, Social Security numbers, addresses and phone numbers. They even got access to people’s banking details.
Some customers — new and longtime — tried to log in and could not access their accounts. They could not make payments. Even worse, the breach derailed some home buyers’ closing days.
Some people just recently received letters about the breach, and realized that the Mr. Cooper Group must have touched their mortgages at some point. Some of the exposed customer information came from households financed or serviced by Nationstar Mortgage — Mr. Cooper’s previous name. Their past information was still stored in the system. According toTechCrunch, nearly 14.7 million people had their data stolen.
But there’s more. Mr. Cooper wasn’t the only mortgage firm dealing with security breaches.
A spate of recent cyberattacks hit three more big mortgage and title companies: National Financial (FNF®), First American Financial, and loanDepot®. All in the past four months. The fallout is ongoing.
Is Cyberattacking Now a Software Industry?
Cyberattacks are becoming more frequent — and they’re being packaged.
Ransomware as a Service (RaaS) providers “license their software to other malicious parties, typically in exchange for a portion of the ransom proceeds,” according to the cybersecurity company SentinelOne.
Financial businesses, much like government agencies, dread having to go offline. So they might be pressed into coughing up ransoms. With ransomware, bad actors don’t have to be very sophisticated to do a lot of damage.
In addition to the ransom demands, there are the Distributed Denial of Service (DDoS) attacks. These can affect emails, websites, and financial accounts.
Multiple computers swarm one target. This is how the DDoS works. It shuts down valid visitors’ access to websites and systems by flooding the network with activity.
Software, and even “attack-for-hire” services, can help fraudsters carry out DDoS.
Could digital fingerprints and blockchain technology be society’s best bets against ransomware?
Costs to the Company: The Worst Is Reputational
After being attacked, a company could easily spend millions of dollars on temporary remedies to comfort the people affected. Things like identity protection services for current and past customers.
On top of that, a hacked company can face civil suits.
No company wants its shares to fall on account of negative news and social media. No company wants to be stuck in court. So companies pay ransoms to shake off the nightmares and get back to business. The average ransom paid out to hackers stands at $1.6 million, according to Sentinel One.
The government takes these things seriously. This could mean more potential costs. Companies may find themselves paying fines for not following rules. There are official penalties for leaving customers’ information vulnerable, if a company falls short of industry requirements.
Normal business operations are suddenly placed on hold as personnel focus on mitigating losses, restoring the databases, and adopting new security measures. In fact, Mr. Cooper is expected to pay some $25 million in a three-month period for data recovery and credit protection for its customers, the company has stated.
Companies are also forced to shell out higher premiums for their cybersecurity and insurance coverage. They may need to employ cybersecurity experts to assess or prevent further damage.
And when the dust settles, people feel let down. Regaining the trust of customers and the public isn’t easy. Nor is it cheap.
What We Should Expect Financial Services to Do
Once a data breach comes to light, a business needs to inform customers whose personal information was exposed. It needs to monitor the internet for evidence of any further harm. It needs to be upfront about the incident and the scope of what was compromised. It needs to offer guidance about how the people affected can act to protect themselves.
We should expect our lenders and loan servicers to:
- Communicate well and promptly with all affected people in the case of a data security incident.
Tell us that our personal data was exposed, and offer some protective assistance. Typically this comes in the form of credit monitoring for two years.
- Use preventative methods, such as ransomware and DDoS protection systems, including email protection.
- Regularly monitor and test the network, and run appropriate data recovery drills.
Crucially, financial offices need the right tools for allowing access to their systems. Cutting-edge tools now feature ChatGPT and generative AI, Sentinel One reports.
How Borrowers Can Protect Personal Data
“We intend to make this right for our customers,” Mr. Cooper said. But the trend seems to be going quite wrong.
As financial customers, we might decide to keep our own set of account records. This will help in case of claims of late or missed payments, or other lapses. We can also lock or “freeze” our credit information if we think it has been compromised and could do further damage. The federal government explains how to freeze and unfreeze credit. This way, no new accounts are allowed to be opened in our names. For online freeze requests or requests made by phone, the three major credit agencies must freeze your credit report within one business day. If you want the freeze removed, ask online or by phone and it should be off within the hour.
Another thing we can all do is use a unique password on each website we log into. This limits the usefulness of a hacked password.
By federal law, financial offices must guard our data. States have applicable laws, too. We can complain to the Consumer Financial Protection Bureau if we believe firms have not handled our information appropriately.
We trust companies with our private information. They must be prepared to guard it.
Technology providers must step up, too. They know their products best. They’re in a position to guide the financial sector in adopting best practices. Finally, they can monitor the products they’ve already sold.
Notes to our readers: Deeds.com is not affiliated with any companies or agencies mentioned in this article. The company targeted by a cyberattack was Fidelity National Financial, not Fidelity® Investments. According to its website, Fidelity National Financial, Inc. (FNF®) is “the leading provider of title insurance and settlement services to the real estate and mortgage industries.”
Supporting References
U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, via CISA.gov: Understanding Denial-of-Service Attacks (Feb. 1, 2021).
Matt Kapko for Cybersecurity Dive: Deep Dive – Mortgage Industry Attack Spree Punctuates Common Errors (Feb. 6, 2024). See also: Deep Dive – Mr. Cooper Cyberattack Hits Every Current — and Former — Customer (Dec. 18, 2023).
Zack Whittaker for TechCrunch: Mr. Cooper Hackers Stole Personal Data on 14 Million Customers (Dec. 18, 2023).
Rachel Witkowski for Forbes Advisorvia Nasdaq+ (Nasdaq, Inc.): Mr. Cooper Admits Mortgage Customers’ Data Exposed During Payment-Blocking Cyber Attack (Nov. 9, 2023).
SentinelOne® (Mountain View, CA), via SentinelOne.com: Blog – Cyber Attacks on Financial Institutions – Why Banks Are Caught in the Crosshairs (Aug. 22, 2023).
Mani Keerthi Nagothu for SentinelOne® (Mountain View, CA), via SentinelOne.com: Blog – Integrating ChatGPT and Generative AI Within Cybersecurity Best Practices (April 5, 2023).
And as linked.
More on topics: Email closing scams, Closing day, hacked
Photo credits: Saksham Choudhary and Cottonbro Studio, via Pexels/Canva.