It's been over 10 days since Mr. Cooper experienced a cybersecurity incident that impacted its servicing system and now it believes customer data was exposed. According to an SEC filing, the attack could cost the company at least $5 to $10 million.
According to the company's website as of Friday morning, "We are continuing to investigate precisely what information was exposed. In the coming weeks, we will mail notices to any affected customer and provide them with complimentary credit monitoring services."
Until then, the company says customers should monitor their accounts and contact the three major credit bureaus to place a "fraud alert" on their file at no cost.
The statement goes on to say, "We do not believe that any of our customers' banking information related to mortgage payments was impacted." The company said customers can now access their accounts through the website and automated phone system and will not incur any fees or penalties as a result of late payments.
"We continue to conduct a thorough investigation and have not reported the total customer impact number at this time. Any customer impact number reported in the media is speculation," a company spokesperson said Friday. "We continue to make great progress restoring our operations in a safe and secure manner, and are taking customer calls and payments."
In a recent regulatory filing, Mr. Cooper stated that it believed the cyberattack would not result in a "material adverse effect" on its operations or finances.
"While we cannot presently quantify the full extent of remediation and legal expenses associated with this cyber attack, we do not believe the impact will be material to our results of operations or financial conditions. We estimate fourth-quarter earnings will include $5 to $10 million of additional vendor costs," Friday's filing stated.
On Tuesday, Stephen Lynch, a senior credit officer at Moody's Investors Service, told the New York Times that Moody's was closely monitoring the incident. The ultimate impact, Lynch noted, would hinge on the duration of the disruptions, potential reputational harm, and the scale of the security breach.
The Oct. 31 attack came days after the mortgage servicing company reported third-quarter net income of $275 million on Oct. 25. After adjusting for mark-to-market and specific other factors, the company reported a pretax operating income of $249 million.
The company inadvertently may have painted a bull’s eye on its back. In addition to healthy third-quarter profits, company officials said during an earnings call it was the biggest and best. During the call, Chairman and CEO Jay Bray said that Mr. Cooper Group is now the "industry's largest servicer. We are also the most efficient."