The Mr Cooper data breach which exposed sensitive information belonging to over 14 million mortgage holders underscores the need for financial institutions to implement more robust security measures, according to cyber professionals.
Nick Tausek, lead security automation analyst at Swimlane, said the security blunder raises questions over practices among ‘non-bank’ financial institutions, which account for a significant portion of the broader financial services industry.
The Mr Cooper data breach saw hackers gain access to the personal data of 14.7 million customers, making it one of the largest breaches in recent memory.
The company initially became aware of unauthorized third-party access to its technology systems on 31 October 2023, according to its SEC filing updating its breach disclosure.
A forensic review conducted by the company determined the information relating to “substantially all of [Mr. Cooper’s] current and former customers” was obtained during the incident.
Mr Cooper reported the threat actors were able to exfiltrate customer names, addresses, phone numbers, dates of birth, social security numbers, and bank account numbers.
The extent of the personal information accessed by the hackers means all affected customers will now be exposed to a number of attacks including phishing and social engineering attacks, as well as identity theft and bank fraud.
In an update issued last week, the mortgage lender said it will provide two years of free credit monitoring and identity protection services to any existing or former customers affected by the incident.
This service will be provided by fraud assistance specialists Cyberscout, and the firm has also set up a dedicated call center to provide additional support to customers.
In its SEC filing, the US mortgage lender increased its initial estimate of the incident’s costs from $5 – $10 million to $25 million as a result of its decision to offer customers identity protection services for two years.
Mr Cooper breach lays bare concerns over security in finance
This incident occurred very soon after the Federal Trade Commission (FTC) amended its Safeguards Rule requiring non-banking financial institutions to report data breaches directly to the FTC.
The new disclosure requirements, set to come into effect in 2024, will mandate companies disclose any data breaches involving third parties accessing the personal information of at least 500 customers.
These disclosures will have a 30 day deadline after which point the company can be sanctioned by the FTC.
With these new requirements, it is increasingly important for these non-banking financial institutions to ensure their security protocols are robust and are able to respond quickly to data breaches, experts said.
Tausek noted the proximity of the Mr Cooper data breach to the FTC’s amendment of the Safeguards Rule and added a worrying number of security practitioners at financial institutions are reporting costly data breaches.
Discover how you can boost service quality and drive down ticket volumes
“The Federal Trade Commission's amendment to the Safeguards Rule, making it mandatory for non-banking financial institutions to report data breaches within 30 days, came one week before Mr Cooper’s cyber attack."
Nearly half (42%) of security practitioners at finance firms reported at least one breach in 2023, according to a recent study, with the average cost amounting to roughly $1 million.
As such, Tausek underscored the importance of robust security measures in this industry, where the penalties for breaches are so high.
“This reaffirms the vulnerability of institutions in this sector,” he added.
“Organizations that manage millions of customers' sensitive data must stay hyper-vigilant, continually evaluating their security measures.”
Andrew Costis, chapter lead of AttackIQ’s Adversary Research Team, echoed Tausek's comments, adding that financial services firms must place a stronger focus on security given the critical nature of the data they hold and process.
“For organizations like Mr Cooper with millions of customers, a single breach can have devastating consequences," he said.
"To stay ahead, a proactive threat-informed cyber defense strategy is crucial. By studying the common tactics, techniques, and procedures (TTPs) used by threat actors, organizations can test their systems and align their security defenses against these attacks."
