Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Mr. Cooper Hackers Stole Personal Data on 14 Million Customers (techcrunch.com) 74

Hackers stole the sensitive personal information of more than 14.6 million Mr. Cooper customers, the mortgage and loan giant has confirmed. From a report: In a filing with Maine's attorney general's office, Mr. Cooper said the hackers stole customer names, addresses, dates of birth and phone numbers, as well as customer Social Security numbers and bank account numbers. Mr. Cooper previously said that customer banking information was stored by a third-party company and believed to be unaffected. Mr. Cooper said in a separate filing with federal regulators on Friday that hackers obtained personal data on "substantially all of our current and former customers."

The number of affected victims is significantly higher than the four million existing customers that Mr. Cooper claims on its website, likely because of the historical data that the company stores on mortgage holders. Mr. Cooper said in its data breach notification letter to affected victims that the stolen data includes personal information on those whose mortgage was previously acquired or serviced by the company when it was known as Nationstar Mortgage, prior to its rebranding as Mr. Cooper. The company said affected customers may include those whose mortgages were serviced by a sister brand.

This discussion has been archived. No new comments can be posted.

Mr. Cooper Hackers Stole Personal Data on 14 Million Customers

Comments Filter:
  • Everyone's data has probably been stolen many times over if Have I Been Pwned is to be believed. Exist online? Someone pwned you. Period.
    • by yet-another-lobbyist ( 1276848 ) on Monday December 18, 2023 @02:27PM (#64089629)
      Well, being Pwned is one thing. But this one apparently has a combination of DOB, SSN, and banking info. In terms of being able to wreak real havoc in terms of ID theft, it doesn't take much more... This is very different from, say, having your Slashdot account Pwned.
      • The Equifax breach already leaked all of this for everyone years ago.

        • by mkraft ( 200694 )

          I don’t think the Equifax breach had bank account numbers and routing info. That’s actually somewhat worse than SSN as at this point everyone likely has their credit frozen and free credit monitoring. With banking details everyone has to watch for automatic withdrawals.

      • This is very different from, say, having your Slashdot account Pwned.

        Ach! Are you saying it's worse than long daisy-chains of swastikas?

  • When will people start going to prison? And I'm not talking about the hackers, but the ceo's and all other managers that shrug their shoulders and say they will do better in the future then skimp even more on it security.
    • No. No prison. Hold them accountable. Make them pay with their own, private money for the fallout.

      Hit these fuckers where it really hurts them. Let them for a change drown in debt, in a debt they can't weasel out of via bankruptcy, a debt that will hang over their worthless head 'til they hang themselves.

      Then sell their organs to recover the damage at least in part.

      • No. No prison. Hold them accountable. Make them pay with their own, private money for the fallout.

        Define "them". As a security person, I am not interested in being the fall guy for corporate malfeasance. And there is plenty of malfeasance, which is why this shit keeps happening.

        • Depends. Did you get the budget to ensure a sensible security situation. Then yes. You deserve punishment if you can't show that you used it to ensure a sensible level of security. Perfect security is not possible, nobody demands that, but in my experience as a security auditor, most security breaches are due to a blatant neglect of even the basic security requirements.

    • How about because no law specifies such? If you want such a result, suggest it to your duly elected lawmaker. Even better, get many of your fellow voters to suggest such a law with desired penalties and to whom that applies. Still not working, then consider running for office so that you can more directly influence the creation of such a law. This is how republics function, and if enough of your fellow citizens also desire such a law, it can enacted (by passing both houses of Congress and being signed by th

      • If you want such a result, suggest it to your duly elected lawmaker.

        They don't care. Trust me. I have experienced it directly.

        Still not working, then consider running for office so that you can more directly influence the creation of such a law.

        I, realistically, have no chance at all of being in that group. I am not a part of the proper social circles or from the proper social background.

        This is how republics function, and if enough of your fellow citizens also desire such a law, it can enacted (by passing both houses of Congress and being signed by the President).

        I am guessing you have never heard of gerrymandering.

        Lastly, if it passes constitutional muster at the Supreme Court -- well then, Bob's your uncle, we can expect CEOs, managers, coders, operators, etc. across the land to be incarcerated for insufficiently following the requirements contained within this new law.

        Except that the Supreme Court is a buyers court now and even if it wasn't, ask the Supreme Court how it works out when dearly beloved Andrew Jackson told them he would NOT enforce their findings in relation to the Cherokee natives.

        So yeah, in theory, your

        • Why go all the way back to Andrew Jackson -- just look at the student loan decision by the Supreme Court. They effectively ruled that forgiving student debt and transferring that forgiven debt to the taxpayers (the vast majority not having any of their debt "forgiven") was a spending action and thus had to be initiated and approved first in the legislature, and not decided by the executive. Of course pursuant to that decision, the executive has now approved over $100 billion in student loan debt. The furthe

    • Wrong targets.

      Every large business, including Mr. Cooper, knows that it's only a matter of time before the hackers come after them. They have entire teams dedicated to combating breaches. They know the peril and the damage it can cause them. But the reality is that it's an arms race that you can never really win.

      After hundreds of years of banks, why do we still have bank robberies, and armored car robberies? Why hasn't security been improved enough to stop the nonsense, despite losses of many millions of do

      • Every large business, including Mr. Cooper, knows that it's only a matter of time before the hackers come after them.

        True.

        They have entire teams dedicated to combating breaches. They know the peril and the damage it can cause them.

        Not really true. Especially since they do not really do proper risk calculations.

        After hundreds of years of banks, why do we still have bank robberies, and armored car robberies?

        Because people still want stuff.

        Why hasn't security been improved enough to stop the nonsense, despite losses of many millions of dollars?

        There is no need. When is the last time you heard of a physical heist being worth more than about $50k? When is the last time you heard of someone robbing a bank and getting away with it over the long term? DB Cooper springs to mind... from the 1970s. Essentially, any robbery over a certain amount is guaranteed to get busted. Sure, they committed the crime, but there is no way to spend that

        • Not really true. Especially since they do not really do proper risk calculations.

          "Proper" is a subjective term. You cannot substitute your opinion of what is "proper" for what actually makes sense for a business, or under the law.

          Because people still want stuff.

          Yup, and because people still want stuff, they will continue to carry out digital attacks.

          When is the last time you heard of a physical heist being worth more than about $50k?

          Armored cars routinely carry cash amounts larger than $50K, sometimes in the millions. Armored car robberies occur disturbingly often. https://news.google.com/search... [google.com]

          • "Proper" is a subjective term.

            Proper is not an entirely subjective term when the person commenting on 'proper' is a specialist in the area being discussed. But believe whatever you want. They were going to get publicly shamed sooner or later as hackers have been roaming their networks for years.

            • Every company, and every situation, calls for a different risk mitigation calculation, based on costs and benefits. YOU don't have enough information to judge what is "proper" for any company other than your own, and maybe not even your own.

              OK fine, so they'll get their just desserts. Why do you want people to go to prison then, exactly?

    • When will people start going to prison? And I'm not talking about the hackers, but the ceo's and all other managers that shrug their shoulders and say they will do better in the future then skimp even more on it security.

      Never. I work in this area and I can guarantee you that nobody will want to work in this area if criminal charges are likely. I can point out all day long how something is a problem, but if resources are not allocated to deal with it, what can anyone do? Security folks don't get to allocate resources. If they did, they would bankrupt the organization they are trying to save.

      Why would they bankrupt an organization? Because you can't secure what was designed to be insecure. Try securing anything regarding Mic

  • by Opportunist ( 166417 ) on Monday December 18, 2023 @02:34PM (#64089649)

    They will not have to pay a dime for that, right? They probably just trashed the credit rating of millions, but nothing bad will happen to these dimwits. Nobody will hold them accountable for their crappy security and everyone will just shrug it off.

    As long as we do, nothing will improve. Why bother spending a dime on security if it doesn't cost me one if my cardboard door gets kicked in?

    • You have such a naive view of how business works. Mr. Cooper is going to lose a TON of money over this ,whether or not they are fined.

      And let's stop punishing the victims here. Are you going to punish the borrowers for using a lender that doesn't properly secure their data? It's ridiculous how everybody jumps on the company that was attacked, instead of going after the criminals who committed the crime.

      • Today's society doesn't view crime as crime. This is mainly because society is too afraid to punish criminal behavior. Even changing this attitude is nearly impossible, as there are too many soft justice promoters which mainly have never had something bad happen to them so they don't want to hurt anyone in return. This is where we are and this is what we get.
        • Just to be clear, you're *not* suggesting that we should punish the victims then, right?

          One additional problem with this situation, in addition to the law being soft on criminals, is that many of these hackers are in other countries, where our laws don't apply. That makes it a lot harder to reach them.

          • One additional problem with this situation, in addition to the law being soft on criminals, is that many of these hackers are in other countries, where our laws don't apply. That makes it a lot harder to reach them.

            To a certain extent, however, I helped the FBI and Interpol catch some hackers who had caused some annoyances to the US Navy. They were sentenced to prison in America. I almost felt sorry for them.

        • If what you say is true, then why are there people in prison for a decade or more over a minor possession charge? Sure, yeah, let's get even TOUGHER on crime.

          I hate to say it, but you are not very smart and are painting things with VERY broad strokes.

          Today's society doesn't view crime as crime.

          Reductio ad absurdum bro. Reductio ad absurdum indeed.

          Some crimes, committed by some people, are viewed by the elites of society as being permissible. That is a better wording I think.

      • by Slayer ( 6656 )

        You have such a naive view of how business works. Mr. Cooper is going to lose a TON of money over this ,whether or not they are fined.

        Looking at the Equifax situation: they had appalling security, knew about it, did nothing about it, lost all their data, damaged countless people who were not even their direct customers, and what happened? Did this company go under? Nope. Did they get a crippling fine? Nope! Business as usual went on, they typical hogwash "you'll get credit monitoring if you really insist" and the whole issue fizzled out.

        Please tell me in detail, how Cooper will lose "a TON of money over this" ...

        And let's stop punishing the victims here. Are you going to punish the borrowers for using a lender that doesn't properly secure their data? It's ridiculous how everybody jumps on the company that was attacked, instead of going after the criminals who committed the crime.

        We won't accuse Cooper of

        • Do you have actual evidence that Equifax had lax security? Or are you just assuming that they did?

          Mr. Cooper will lose money from potential customers who have heard about the breach and choose to go with a different lender. They will also have to spend a lot of money dealing with the actual breach, and beefing up security, plus marketing their new resolution to keep customer data safe. All that stuff costs a lot of money.

          You accuse them of negligence. Do you have evidence of this?

          No one is suggesting that M

          • by Slayer ( 6656 )

            Do you have actual evidence that Equifax had lax security? Or are you just assuming that they did?

            An important patch for Apache Struts was released on March 10th, and not yet deployed at Equifax on May 12th. Immediately after the release of the patch a hacker group started scanning the net for vulnerable hosts, go figure. Exploitation and Equifax data extraction then went on uninhibited for more than 2 months.

            They can give me "but in a corporate environment you can't just patch a vulnerability right away", but either this line is BS, or corporate outfits should not hold on to such quantities of highly s

            • You clearly haven't worked on a software project of any size, have you! Keeping libraries updated is a difficult and challenging task. Every referenced component can potentially cause bugs when updated. Many large organizations use hundreds or thousands of such components, so keep them all updated is a daunting task.

              You don't know why Mr. Cooper hasn't stated what you want them to state. It could be that it's embarrassing, or it could be that the investigation is still ongoing and they don't yet have the fa

              • by Slayer ( 6656 )

                You clearly haven't worked on a software project of any size, have you! Keeping libraries updated is a difficult and challenging task. Every referenced component can potentially cause bugs when updated. Many large organizations use hundreds or thousands of such components, so keep them all updated is a daunting task.

                I generally don't work on Windows software, but trust me: I know how to write and run software. Look at my user ID, I am certainly not new to this field. Some of my software drives systems, that people's lives depend on. These 14 million data records involuntarily exposed by Mr. Cooper will not lead to immediate loss of life, but mess with enough people's data long enough, and the outcome will be quite dire in some situations.

                BTW I did not claim, that it is easy to keep such a system updated and afloat, but

                • Your user ID says you've been around a long time, but it doesn't say you understand large software systems. Supporting millions of concurrent users is a very different software development proposition than one desktop at a time. Everything takes exponentially longer to do and to test.

                  There is *always* a balance between improving security, and controlling costs. No company has the money to do *everything* that every so-called security expert thinks should be done to secure their systems.

                  There are some "big boys", who do it your way (shrug shoulders, "how could we possible update this?")

                  First, that's not "my

                  • by Slayer ( 6656 )

                    Your user ID says you've been around a long time, but it doesn't say you understand large software systems. Supporting millions of concurrent users is a very different software development proposition than one desktop at a time. Everything takes exponentially longer to do and to test.

                    It should be abundantly clear, that neither Mr. Cooper, nor Equifax supported "millions of concurrent users" at any time during their online presence. They were responsible for a remarkable treasure trove of data, but both mortgages and credit worthiness are not something the majority of their customers would check on a daily basis.

                    At the same time their products were not exactly marvels of technical sophistication. They chose to implement their web apps in such a way, that a rapid response to a novel secur

                    • Mr. Cooper holds about 4.3 million mortgages. https://www.nytimes.com/2023/1... [nytimes.com]. When the first of the month rolls around, and it's time to pay the monthly mortgage payment, you'd better believe that leads to "millions of concurrent users." Not every day necessarily, but certainly spikes that reach that order of magnitude.

                      Numbers for Equifax are less clear, but given that they hold data for 800 million customers, https://en.wikipedia.org/wiki/... [wikipedia.org]. and every time one of those "customers" buys something that

                    • by Slayer ( 6656 )

                      Mr. Cooper holds about 4.3 million mortgages. https://www.nytimes.com/2023/1... [nytimes.com].

                      What do you know about that? DID they have "ALL" data sets online and readily accessible? If you're going to accuse, you'd better have evidence.

                      Since we likely agree, that over 14 million data sets were accessible to hackers [bleepingcomputer.com], we can hopefully also agree, that the ratio of necessary data records vs. actually available data records is 1:3. That's a lot of extra data and a lot of extra associated risk and responsibility.

                      At the same time their products were not exactly marvels of technical sophistication

                      You have *no* idea. Having actually run a software development shop for a large mortgage lender, I can tell you that the mortgage process is so complex that it required us to use mortgage-specific software components from about 50 different vendors. There is no way we could have written all those components ourselves.

                      You can stash all the (real or perceived) requirements you want, and argue "it's impossible to keep such a system up to date", but what you really argue is this: such systems shouldn't exist in the way they do, because they seemingly c

                    • There's a reason, why fail safe systems for public transport aren't just "somewhat locked down Windows or linux computers doing their thing"

                      Oh, you mean like these?
                      https://www.cyberpolicy.com/cy... [cyberpolicy.com]
                      https://therecord.media/pierce... [therecord.media]
                      https://www.stltoday.com/news/... [stltoday.com]

                      I think your impression of the security practices of public transport, is wildly overconfident.

                      And if that place you're trying to secure is a large depot for nuclear fuel rods

                      And this is where your analogy breaks down. Nobody is going to die because of the Equifax and Mr. Cooper breaches. Mostly, people will get unwanted spam, or will need to reset their passwords. As a Mr. Cooper customer, this is the actual result. My personal data has already been leaked so many

                    • by Slayer ( 6656 )

                      Oh, you mean like these? https://www.cyberpolicy.com/cy... [cyberpolicy.com] https://therecord.media/pierce... [therecord.media] https://www.stltoday.com/news/... [stltoday.com]

                      I think your impression of the security practices of public transport, is wildly overconfident.

                      As you can see, these ransomware attacks targeted the online resources offered by these companies. No train derailed because of the attack, no bus fell off a bridge. The web resources are typically run by people who follow your way of running systems, Windows everywhere, huge systems kludged together from hundreds of components offered by dozens of different vendors with no upgrade path, no system updates "because something could break", and yes, you just offered three more examples, where this kind of corp

                    • Oh, I didn't realize that the standard for ransomware risk was trains literally falling off tracks. You're right, that's not typically what hackers are going for. They typically want data so they can resell it.

                      As for embedded OSes, they are not immune. https://www.darkreading.com/vu... [darkreading.com]

                      I know first-hand what kinds of personal details are collected by mortgage lenders. Yes, they do have a lot. But regular stores like Walmart and Amazon have just as much info about you, maybe a slightly different set, but not

                    • by Slayer ( 6656 )

                      Oh, I didn't realize that the standard for ransomware risk was trains literally falling off tracks. You're right, that's not typically what hackers are going for. They typically want data so they can resell it.

                      Now you sound like the inexperienced noob. Chinese and Russian government hackers would be perfectly happy crashing western infrastructure. Russia does it a bit more subtly, poking here and there, taking a few data sets of high interest, but when China is on a rampage, they take everything. Chinese are deeply embedded in western infrastructure and will inflict massive damage if that furthers their agenda [dni.gov].

                      The real reason, why trains don't derail every holiday season is, that the systems responsible for their

                    • It's not the embedded OS, which makes trains stay on track, though

                      Oh yes, embedded software certainly does play a part in keeping trains on tracks.
                      https://apnews.com/article/ind... [apnews.com]
                      https://spectrumnews1.com/oh/c... [spectrumnews1.com]

                      As for large software systems, you've clearly never worked with them, or you would understand why updating them is hard, and why the *best* companies struggle to keep everything current. The software issues at Experian and Mr. Cooper are far from unusual.

                    • by Slayer ( 6656 )

                      It's not the embedded OS, which makes trains stay on track, though

                      Oh yes, embedded software certainly does play a part in keeping trains on tracks. https://apnews.com/article/ind... [apnews.com] https://spectrumnews1.com/oh/c... [spectrumnews1.com]

                      Sometimes I get the impression you intentionally twist my words to make them appear ridiculous, if that's the case: please stop. What I tried to express was, that an embedded OS is not inherently more secure than a server OS, quite to the contrary. The reason, why trains stay on track, while their ticket sales servers get pwned left and right, is not the choice of OS or embedded vs. server, but the overall software culture behind it, the risk awareness/management, and the urgency to address threats to syste

                    • The reason, why trains stay on track, while their ticket sales servers get pwned left and right, is not the choice of OS or embedded vs. server, but the overall software culture behind it, the risk awareness/management, and the urgency to address threats to system integrity.

                      One would imagine this to be so, that is *should* be so, but you have no evidence that it is actually so. Based on my own experience, that includes some industries where security is thought to be a premium (banking, genetics, healthcare), I find that the so-called "security-focused" systems are really no better off than the rest, there are just as many vulnerabilities, and just as much focus on *saving money* rather than security, as anything else.

                      Once stricter fines and regulations appear, you will all either change pace or go the way of the Dodo

                      There is no more tightly regulated industry than healthcare.

                    • by Slayer ( 6656 )

                      One would imagine this to be so, that is *should* be so, but you have no evidence that it is actually so. Based on my own experience, that includes some industries where security is thought to be a premium (banking, genetics, healthcare), I find that the so-called "security-focused" systems are really no better off than the rest, there are just as many vulnerabilities, and just as much focus on *saving money* rather than security, as anything else.

                      There is a big difference between most safety related circuits and public facing web services: safety circuits mostly shield against a "dumb opponent": faulty hardware, whereas web pages typically fall to "smart opponents": hackers. Anyone with moderate experience level in the field could trick a safety system into misbehaving all the way into major disaster, and the main reason this doesn't happen often is, that bad actors typically can't access these systems.

                      However, few of these massive data leaks were d

                    • There is a big difference between most safety related circuits and public facing web services: safety circuits mostly shield against a "dumb opponent": faulty hardware

                      You keep saying that, without offering anything other than your opinion. Have you actually been involved in hardware / firmware development? I have. In one instance, firmware designed to ensure that only authorized individuals in a hospital can open a lock designed to protect controlled drugs from misuse. The security was appalling. Same is true for router firmware https://www.securityweek.com/c... [securityweek.com] and security cameras https://www.cbsnews.com/news/r... [cbsnews.com]. Why would you assume that firmware in trains or electr

                    • by Slayer ( 6656 )

                      You keep saying that, without offering anything other than your opinion. Have you actually been involved in hardware / firmware development? I have. In one instance, firmware designed to ensure that only authorized individuals in a hospital can open a lock designed to protect controlled drugs from misuse. The security was appalling.

                      Yes, sir, directly and personally and as a team lead. And if you had any real experience in this field, then you'd know, that a "stupid lock to keep corrupt nurses away from opioids", however important it may sound to you, is nothing like a safety circuit rated for public transport. The latter are circuits (plus firmware), for which you have actually prove beyond reasonable doubt, that they either perform their job perfectly, or reliably switch the system to a safe state. Certification for such circuits can

                    • Of course, all they did was *stop* those trains (this time). They couldn't possibly have done anything else, because the software is so secure!

                    • by Slayer ( 6656 )

                      Of course, all they did was *stop* those trains (this time). They couldn't possibly have done anything else, because the software is so secure!

                      "Stopping the train" is considered the safe response to detected abnormal conditions, and that's apparently all which state level actors so far have been capable of. You can consider this as far apart from "full control of trains" as a DDoS would be away from remote root level access. Let's also not forget, that the two known affected train systems were Spanish and Belarussian, and that despite probably considerable and aggressive efforts neither Russian nor Ukrainian trains ever stopped during the last 2 y

                    • It doesn't matter what is "considered the safe response." What matters is that hackers were able to interfere with train operations. Once you're in, it's just a matter of deciding what you want to do.

                      I would suggest that the real reason infrastructure hasn't been a major hacking target, is that there's no money in it. That's the real motivation behind hack attempts.

                    • by Slayer ( 6656 )

                      It doesn't matter what is "considered the safe response." What matters is that hackers were able to interfere with train operations. Once you're in, it's just a matter of deciding what you want to do.

                      It's too close to a holiday that I would explain you the difference between a forced safe shutdown and a full ransacking of a platform. Consider for a few minutes, whether we even had this discussion, had Equifax and Mr. Cooper just taken their services offline for an hour after a safety circuit determined unusual access to their DBs.

                      I would suggest that the real reason infrastructure hasn't been a major hacking target, is that there's no money in it. That's the real motivation behind hack attempts.

                      As I already described with my reference to Russia and Ukraine, there would be much more incentive to permanently disable each country's train system than all your "high value

                    • And how does one define "after a safety circuit determined unusual access to their DBs"? That's easy to say, hard to identify. Hackers are adept and disguising their database queries as "normal" queries.

                      You talk of incentive, and that evades the point. If your systems are protected only by the lack of incentive to compromise them in certain ways, they aren't protected at all. It's a matter of time before someone has the appropriate incentive to cause mayhem in a way that no one had incentive to do so before

                    • by Slayer ( 6656 )

                      And how does one define "after a safety circuit determined unusual access to their DBs"? That's easy to say, hard to identify.

                      Yes, this is precisely what makes circuits for person safety a challenge, and it requires a vastly different mind set than the current culture in web services. BTDT.

                      Hackers are adept and disguising their database queries as "normal" queries.

                      Yes, one mitigating factor for public transport is, that most safety circuit's assumed threats are (randomly) faulty components (which I called "dumb opponents" before), whereas human hackers can be cunning and smart enough to simulate "normal operation" where operation is anything but normal and safe. We all observed this in action at the nucle

          • Do you have actual evidence that Equifax had lax security?

            Their Chief Security Officer had no Security training or background. Does that imply lax security to you?

            Mr. Cooper will lose money from potential customers who have heard about the breach and choose to go with a different lender.

            No they won't. They don't have customers. They BOUGHT all of the mortgages that they service. They were a Collections Agency that decided to get into the mortgage game. Nobody in their right mind would ever seek to have Mr. Cooper attend to their home loan.

            • Their Chief Security Officer had no Security training or background. Does that imply lax security to you?

              Not without knowing more about this guy and what he has picked up on the job. As we computer programmers well know, a college education or certificate does not make a good programmer, nor does a degree or certificate provide a good indicator of the capabilities of a candidate.

              Nobody in their right mind would ever seek to have Mr. Cooper attend to their home loan.

              Maybe that's my problem! I personally am a party to a mortgage in which we willingly refinanced with Mr. Cooper. And I've spent three years running a software team in the mortgage industry, so I know something about mortgages and mortg

              • Not without knowing more about this guy and what he has picked up on the job.

                It was a gal, and I mentioned her background. CISO is NOT the job to be learning from on the job experience. You should be getting OJT at a much lower level first. Ergo, they were patently unfit for duty.

                Maybe that's my problem! I personally am a party to a mortgage in which we willingly refinanced with Mr. Cooper.

                I am guessing you are not realizing that they have the ethics of a collections agency because... that is exclusively what they were until they bought a large number of mortgages a few years ago.

                • Sorry, I didn't read the bio, and it's a male-dominated industry.

                  And few C-level executives have actually come up through the trenches, as you suggest should have happened. Instead, they rely on experts that they hire, to know all about the nuts and bolts.

                  You may have a well-earned perception of the ethics of collections agencies, but I have encountered some good ones in the bunch. You are making assumptions based on a stereotype, not a judgment based on evidence.

      • by quetwo ( 1203948 )

        The thing about this one is -- most of their customers never chose them. Mr. Cooper (NationStar) bought all those loans from the places that these customers DID want to do business with. Customers sign up with a mortgage lender they have a relationship with (or at least chose for some reason or another), and those banks package up those loans and send them off to hucksters like Mr. Cooper who don't secure their data. And getting a new mortgage just because yours got sold costs a LOT of money -- to refina

        • You accuse Mr. Cooper of failing to secure their data, but you have no evidence of this. A breach, by itself, is not evidence of poor security practices.

          And if you don't want your mortgage to be sold, you can do your due diligence and use a lender that doesn't sell their inventory. Chase is an example, they hold onto the mortgages they write. Your loan officer will know the answer to this question.

          • by quetwo ( 1203948 )

            My loan was through a local bank who had a record of holding onto mortgages for over 50 years. The bank got purchased by Chase and then the mortgages were sold off to a company that sold it to Mr. Cooper.

            Evidence is in the pudding. There should be no scenario where customer data would be in the same place as bank routing information. EVER. Save a smash-and-grab where Carmen Santiago grabbed every server in their data center, the data would need to be segmented. While PCI-DSS does not cover ACH withdraws

          • And if you don't want your mortgage to be sold, you can do your due diligence and use a lender that doesn't sell their inventory.

            Countrywide, Bank of America, Nationstar/Mr Cooper. Countrywide went broke (duh!) and BofA bought their mortgages. What can a person do except get a new mortgage? But then BofA sold that mortgage to Mr Cooper. New mortgage is again, the only option.

            Have a nice day in your theoretical world where a person has full control of everything around them.

            • So maybe Countrywide customers made a bad choice? Or maybe, we should stop daydreaming and understand that security breaches happen, TO THE BEST of them.

    • They will not have to pay a dime for that, right? They probably just trashed the credit rating of millions, but nothing bad will happen to these dimwits. Nobody will hold them accountable for their crappy security and everyone will just shrug it off.

      Blame the victim much? Sure, they walked down the alley in a short skirt and no weapons, but they aren't the one who raped themselves.

      I dislike how "blaming the victim" became "no responsibility" for the victim. At least in a rape, the victim paid their price. In this situation, not so much. Mostly because Mr. Cooper is not the real victim here. People like you and I are. And we did pay the price... for something we had no control over.

  • by DarkOx ( 621550 ) on Monday December 18, 2023 @02:38PM (#64089661) Journal

    Not say that its ideal that this stuff gets leaks but honestly should companies even have to disclose this?

      Mr. Cooper said the hackers stole customer names (more or less public info - do a title search), addresses (ditto), dates of birth (easily discovered) and phone numbers (we used to print these in books), as well as customer Social Security numbers (I mean yes, but for most folks you have birthday and state, this is four digit number, for the younger cohort it almost certainly leaked anyway...) and bank account numbers (cool everyone I have ever written a check to has those too, so what really).

    The bigger problem is pretending any of this stuff is still useful or acceptable as an authentication secret. For almost all of us it is out there, easy enough to gather with some effort if you are being personally targeted. Likely in some big database dumps that can be purchased for a few hundred bucks by anyone looking to scam/spam people in bulk.

    Address + birthday + SSN is still widely used as all that is needed for financial accounts, which needs to just stop. Nobody should be accepting that without additional evidence for anything financially consequential and any identity theft disputes where that was the only authenticating information should require no more rebuttal than 'yeah my dude that wasn't me'.

    If that adds friction and makes 'online' $BUSINESS to hard to do - so be it. Because again at this point treating those as an acceptable identity factors on their own is as negligent at this point as leaving your database of those things exposed to the internet.

    • by Astfgl ( 203296 )
      Sure, the odds are that if you have ever taken out a loan of any kind (assuming you are in a country covered by the Big 3 Credit Reporting Agencies), your data has been scavenged in one or more breaches by now. So, most of us here have probably already done this, but if you haven't, freeze your credit reports. The primary reason why thieves want to steal your identity is so that they can take out loans on your behalf, and skip away with the cash, leaving you responsible for the loan payments, often withou
  • by sentiblue ( 3535839 ) on Monday December 18, 2023 @03:01PM (#64089733)
    I did get a vague message from Mr. Cooper that my autopayment was going to show up late in my balance but they said absolutely nothing about the breach. When I first found out about the breach, I replied to their notification and mentioned this. You guessed it, they didn't reply. Other than that I received absolutely zero communication from them that my personal information may have been stolen.
    • Same here. I've been watching this story and haven't heard anything from Mr. Cooper. Even when I reached out a month ago. I had the feeling that the breach was far worse then they had disclosed. I have already frozen all of my credit reports. I learned my lesson years ago to never allow utilities or mortgage holders automatic withdrawal access to your bank account because they will ALWAYS betray that trust.

      At this point I'm very interested in being a class representative for my state when the class act

  • "hackin' with mr. cooper", wasn't it?

  • As somebody who begrudgingly did business with Mr Cooper for about 12 years, I don't doubt this is the 2nd or 3rd time this happened...they just finally upped their game enough to find out this time.

    And by 'up their game' I mean the bad guys actually pressed the button to ruin their systems for a few days. I'm sure more than one actor was in there in the first place.

  • Comment removed based on user account deletion
    • who is this mr cooper?

      An incredibly successful collections agency named Nationstar who needed to ditch their scummy name and create a new one that seems happy and friendly for all of the mortgages they bought.

      (you can see this isn't going to end well, but some people will get rich, so meh)

Any sufficiently advanced technology is indistinguishable from magic. -- Arthur C. Clarke

Working...