Cyber-attack Timeline: Mr. Cooper

Educational & easy-to consume visual guides to understanding attacks & enhancing resilience

MrCooper Timeline_450 MrCooper Summary_450

Download Our Educational Cyber-Attack Timeline (Mr. Cooper)

At Cyber Management Alliance, Cyber Incident Planning & Response and Ransomware Response is our passion. We study and analyse cyber-attacks and ransomware attacks to create informational visual timelines which can be easily read for educational purposes and to enhance cyber resilience.

For the Mr. Cooper Cyber Attack, we have created a visual timeline and an accompanying detailed report.  Download it now. 

Don't forget to read our blog on the Mr. Cooper Cyber Attack.

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

  • ** GDPR ** We wholeheartedly believe your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data. 
  • Align with the GDPR requirements.
  • Increase your Breach Readiness.
  • Reduce your time to detect and respond.

Complete the form below to receive a copy of the detailed Mr. Cooper attack document and timeline.

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

FAQs on Mr. Cooper

  • 1. What happened in the Mr. Cooper cyber attack?

    Mr. Cooper, one of the largest mortgage servicers in the United States (formerly Nationstar Mortgage), disclosed a cyber attack on 31 October 2023. The company detected unauthorised access to its systems and shut systems down as a precaution, including its online payment portal, leaving millions of customers temporarily unable to make mortgage payments. Mr. Cooper later confirmed that the personal information of around 14.7 million current and former customers had been exposed, making it one of the largest data breaches in the US financial sector in 2023.

  • 2. When did the Mr. Cooper cyber attack take place?

    Mr. Cooper detected the incident on 31 October 2023 and notified customers the same day. The company later determined, through its investigation, that unauthorised access to its systems occurred between 30 October and 1 November 2023. Systems were brought back online progressively, with servicing operations restarting on 4 November 2023, and the full scale of the breach (around 14.7 million people affected) was disclosed on 15 December 2023.

  • 3. Who was behind the Mr. Cooper cyber attack?

    The attacker has not been publicly identified. Mr. Cooper did not name a threat actor or confirm whether the incident was a ransomware attack, and the company declined to comment publicly on whether any extortion demand was made. No group claimed responsibility in the reporting available, so attribution for the Mr. Cooper breach remains unknown.

  • 4. Was the Mr. Cooper attack a ransomware attack?

    Mr. Cooper did not confirm that the incident was a ransomware attack, and no ransom payment was reported. Early reporting noted that, if it were ransomware, data may have been stolen for use as leverage, but the company described it only as a cybersecurity incident involving unauthorised access. Because Mr. Cooper did not disclose the attack method or any extortion demand, the precise nature of the attack has not been publicly established.

  • 5. What data was exposed in the Mr. Cooper data breach?

    According to the breach notifications Mr. Cooper filed with regulators in Maine and California, the exposed personal information included customers' names, addresses, phone numbers, Social Security numbers, dates of birth and bank account numbers. This combination of identity and financial data is particularly sensitive and raised concerns about identity theft and fraud for those affected.

  • 6. How many people were affected by the Mr. Cooper breach?

    Mr. Cooper initially said it was still determining whether customer data had been taken, and on 15 December 2023 confirmed that the personal information of nearly 14.7 million current and former customers had been exposed. This was much higher than the company's roughly 4.1 million active customers at the time, because the breach also affected past customers whose data remained on file.

  • 7. How did the Mr. Cooper cyber attack affect customers?

    During the outage, customers were unable to log in to make mortgage or loan payments and were met with a notice about a system outage. Mr. Cooper directed them to alternative payment methods such as phone, mail, Western Union and MoneyGram, and said customers would not incur fees, penalties or negative credit reporting for late payments caused by the incident. Many customers voiced frustration on social media, particularly those who had made payments shortly before the shutdown and received no confirmation.

  • 8. Was a ransom paid, and how much did the Mr. Cooper attack cost?

    No ransom payment was reported, and Mr. Cooper did not confirm whether any ransom was demanded. In SEC filings the company estimated around $5 million to $10 million of additional vendor costs in the fourth quarter of 2023 and said it did not expect the incident to be material to its overall financial results. Moody's described the attack as credit negative, noting the impact would depend on the duration of the disruption, reputational damage and the scale of the breach.

  • 9. How long was Mr. Cooper down after the attack?

    Mr. Cooper's systems were inaccessible for roughly a week. The company shut systems down on 31 October 2023 and restarted servicing operations, including taking customer calls and payments, on 4 November 2023. Online payment acceptance was restored shortly afterwards, and originations systems were brought back as connectivity with vendors and agencies was re-established.

  • 10. How did Mr. Cooper respond to the cyber attack?

    Mr. Cooper locked down and shut down affected systems as a precaution, engaged external cybersecurity experts, notified US law enforcement and disclosed the incident to the SEC. It filed breach notification documents with state regulators, waived late fees and negative credit reporting tied to the outage, and offered affected customers two years of complimentary credit monitoring. The company also said it was monitoring the dark web and, as of mid-December 2023, had seen no evidence that the stolen data had been shared or published. 

  • 11. Did Mr. Cooper face any legal or regulatory consequences?

    Yes. Mr. Cooper faced a class action lawsuit filed by the Pollard law firm, which alleged that the company failed to adequately protect customer data and that the sensitive information was stored on 'inadequately protected' servers. The 43-page complaint argued the breach was 'massive and preventable' and resulted from negligence. Mr. Cooper also reported the incident to the SEC and filed breach notifications with state regulators, including those in Maine and California.

  • 12. What can organisations learn from the Mr. Cooper cyber attack?

    The Mr. Cooper breach shows how quickly a cyber attack can halt core business operations and expose vast amounts of sensitive data, even at a large, established company. The key lessons are to protect and segment systems that hold financial and identity data, to retain only the customer data that is genuinely needed (former customers' records significantly increased the breach total), to maintain tested incident response and crisis communication plans, and to notify customers and regulators promptly. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • The form above collects personal information so we may email you the requested information and pressing the "Get your free copy now"  button acts as informed consent for this processing purpose. Consequently we may be in touch to:

    • Update you when we host our ground-breaking Wisdom of Crowds events in your country or region.
    • Keep you posted on free resources and documents around Wisdom of Crowds events and its outputs. (For example, we tend to create insightful mind maps and we also are the creators of free to view Insights with Cyber Leaders Video Interviews. )
    • Ping you a note about upcoming FREE educational webinars on GDPR and Cybersecurity.
    • Inform you of any upcoming Data Breach Response or Cyber Incident Response training.  
  • Using the information from this page we will NOT sell or market to you any of our consultancy or trusted advisory services.  
  • In its purest interpretation, this act of us communicating with you is direct marketing and is processed on the basis of our legitimate interest and your engaging in our services. All marketing communication will include an unsubscribe button or other method of ending communication.

Download Our Educational Cyber-Attack Timeline (Mr. Cooper)

download template