A Texas federal judge has cleared the way for key claims in a major class‑action lawsuit against Mr. Cooper — filed after a late‑2023 cyberattack exposed the data of nearly 15 million customers — to move forward.
The court found in a late-July ruling that plaintiffs have standing and preserved claims for breach of implied contract and negligence, while dismissing more speculative allegations such as express‑contract breach, unjust enrichment, invasion of privacy, and breach of confidence.
What’s At Stake
The plaintiffs, a putative class of affected customers, allege Mr. Cooper failed to implement basic cybersecurity safeguards, despite awareness of repeated hacking attempts, and that hackers obtained customers’ personally identifiable information (including Social Security numbers, bank account data, and birth dates), some of which plaintiffs claim are now circulating on the dark web.
Alleged harms include fraudulent bank charges, identity‑theft alerts, and hours spent mitigating risk.
Court’s Reasoning
- Standing: The court ruled that the data breach, being targeted and allegedly resulting in misuse and dark web exposure, could constitute a concrete injury — far more than speculative risk.
- Implied Contract And Negligence: The plaintiffs plausibly allege Mr. Cooper implicitly promised to safeguard customer data and breached that duty through lax security measures. The negligence claims survive alongside implied‑contract claims, the court ruled.
- Dismissed Claims: Claims of breach of express contract, unjust enrichment, invasion of privacy, and breach of confidence were dismissed. The court found these either unsupported or beyond the scope of Texas law.
- Deferred Issues: Judge David Godbey held off on ruling on negligence‑per‑se and various state‑law claims until class‑certification proceedings.
Key Points
- Regulatory And Reputational Risks: Mortgage servicers must prioritize cybersecurity as a core operational duty — not just a compliance checkbox. This decision underscores that failure to safeguard borrower data can yield serious liability.
- Contract Dynamics: Even absent signed privacy promises, industry expectations around data protection may effectively create enforceable obligations.
- Merger Implications: The case unfolds amid Rocket Companies’ pending $9.4 billion acquisition of Mr. Cooper, expected to close in the fourth quarter of this year. While Rocket may benefit from integrating servicing platforms and economies of scale, unresolved litigation represents both strategic and reputational exposure. Depending on how the case unfolds, Rocket may inherit not just Mr. Cooper’s servicing strength — but also its legal liabilities.
What’s Next
Parties now turn to class certification, with Judge Godbey originally setting a March 13, 2026 deadline for rulings on the class question.
Meanwhile, mortgage servicers should review and reinforce their data‑protection frameworks to safeguard borrower trust and preempt similar data breaches — and potential subsequent litigation.
