A federal judge has permitted a class-action lawsuit against Mr. Cooper, a prominent mortgage servicer currently being acquired by Rocket Companies, to proceed. The suit includes allegations of breach of contract and negligence stemming from a significant cyber attack in 2023 that compromised the personal information of nearly 14 million customers. However, more severe claims, including unjust enrichment and invasion of privacy, have been dismissed.
In October 2023, Mr. Cooper, based in Texas and with a reported portfolio of 4.3 million borrowers, revealed it had fallen victim to a serious data breach. This incident, later confirmed to be a deliberate cyber attack, resulted in hackers gaining access to social security numbers and other sensitive information from a vast majority of both current and former customers, affecting approximately 14 million individuals.
Judge David C. Godbey acknowledged the plaintiffs’ arguments, stating that they had adequately demonstrated that Mr. Cooper’s failure to implement robust security measures constituted negligence and violated an implied contractual obligation. The judge characterized the plaintiffs’ request for court declarations regarding the legality of Mr. Cooper’s conduct as “too speculative.” Yet, he emphasized that the negligence claims were persuasive, highlighting that Mr. Cooper had been aware of its vulnerability to cyber threats.
Within the ruling, Godbey pointed out that Mr. Cooper failed to take adequate precautions to safeguard customer data, noting that the company had previously acknowledged its attractiveness to cybercriminals. The case will now proceed to establish a class certification schedule; the judge has set a timeline for potential class consideration by March 13, 2026, relevant to all individuals whose personal information was affected by the breach.
Rocket Companies, the owner of various real estate services, including Rocket Mortgage, announced its intention to acquire Mr. Cooper for $9.4 billion earlier this year. This acquisition is still pending, and Rocket has also been involved in another significant acquisition related to Redfin, indicating a strategic intent to broaden its operations within the real estate sector.
Despite Mr. Cooper’s status as one of the nation’s largest mortgage servicers, the implications of the ongoing lawsuit for Rocket remain uncertain. A representative from Rocket declined to comment on the ruling. The lawsuit outlines serious concerns for Mr. Cooper customers, who have reported fraudulent calls, texts, and issues with compromised bank accounts. Many of those impacted were not current clients, suggesting a negligent retention of personal data that disregards established security and privacy protocols.
The plaintiffs also allege that despite a significant financial payout made to hackers after the breach, customer data may have been sold on the dark web. In a notable incident from June 2024, the cybercriminal group Wockstar reportedly attempted to sell source code linked to the breach for $50,000 in Bitcoin, underscoring the severity of the compromise.
Furthermore, evidence presented in the lawsuit indicates that sensitive customer information was stored carelessly, including on publicly accessible Google Cloud storage, raising significant concerns about the company’s data handling practices. The claims suggest that vulnerabilities and breaches related to Mr. Cooper’s security have persisted for years, indicating a neglect of industry standards and a failure to address known risks.
