Mr. Cooper, a major U.S. mortgage servicer, says an October data breach affected nearly 14.7 million people, including all its current and former customers.
Mr. Cooper provided a data breach notification to the Office of the Maine Attorney General saying a total 14,690,284 people were affected by the breach.
A written notice sent to breach victims says names, addresses, phone numbers, Social Security numbers, dates of birth and bank account numbers were stolen.
After detecting the intrusion on Oct. 31, Mr. Cooper shut down its systems, which resulted in a service outage between Nov. 1 and Nov. 4.
The company is offering all affected customers two years of free identity protection services through TransUnion's IdentityForce.
Victims are required to enroll for these services within 90 days of receiving the written breach notice.
Mr. Cooper breach scope increases triples.
Mr. Cooper had about 4.3 million customers as of Sept. 30, 2023, according to its website.
This suggests more than 10 million non-customers were caught in the crossfire, expanding the scope of the breach by more than three times.
The breach notice published through the Maine Attorney General's office outlines victim categories beyond current customers.
This includes former customers, current and former sister brand customers, customers of mortgage companies Mr. Cooper have been a servicing partner for and those who have applied for a home loan through the company.
Mr. Cooper did business as Centex Home Equity starting in 2001 and as Nationstar Mortgage starting in 2006, according to SEC records.
It is unclear exactly how far back the leaked data goes.
Mr. Cooper declined to provide further details to SC Media about the breach and the company's security measures.
Long-term data retention a requirement - and a risk.
Cybersecurity experts told SC Media that companies like Mr. Cooper frequently store former customers' data for several years due to regulatory requirements.
Data masking and continuous controls monitoring are additional tools businesses should use to defend both current and former customers' data, Pandey noted.
Despite a range of laws and guidelines instructing businesses to retain data for a certain number of years, companies can also take steps to ensure they are not keeping sensitive data longer than required, says Claude Mandy, chief evangelist of data security at Symmetry Systems.
Patrick Tiquet, vice president of security and architecture at Keeper Security, recommends companies regularly audit their data inventory and employ appropriate data protection measures.
The Mortgage Bankers Association, an organization that represents more than 2,200 companies in the real estate finance industry, offers information security guidelines with similar recommendations.
This Cyber News was published on packetstormsecurity.com. Publication date: Tue, 19 Dec 2023 15:13:05 +0000