A federal judge is allowing a class-action lawsuit against mortgage mega-servicer Mr. Cooper—currently in the process of being acquired by Rocket—to move forward in part, ruling that the company must face claims of breach of contract and negligence from customers over a 2023 cyber attack that leaked millions of people’s private data to hackers, but dismissed more serious charges of unjust enrichment and invasion of privacy.
In October of 2023, Texas-based Mr. Cooper, which at the time claimed a portfolio of 4.3 million borrows, disclosed that it had suffered a “data breach,” which was later to revealed to be a successful cyber attack by malicious actors who obtained social security numbers and other highly sensitive information from “substantially all” current and former Mr. Cooper customers—almost 14 million people.
While writing that plaintiffs’ request for a court order and a declaration that Mr. Cooper broke the law were “too speculative,” Judge David C. Godbey ruled that they successfully argued that the company was negligent and breached its “implied contract” through poor security protocols
“Plaintiffs have sufficiently alleged that Defendants failed to adequately prepare for a cyberattack and secure their (private information),” he wrote, noting that Mr. Cooper previously admitted it was regularly targeted by hackers and pointed to the plaintiffs’ allegations that the company didn’t take “reasonable measures” to protect data.
Godbey declined to rule on state law claims by plaintiffs, saying that would be more appropriate at a later point in the litigation.
The parties are currently slated to debate a schedule for class certification, as Godbey initially set a deadline of March 13, 2026 to rule on a potential class, which plaintiffs say should include any whose information was compromised.
Earlier this year, Rocket Companies, the parent of Rocket Mortgage, Rocket Homes and a handful of other real estate entities, announced it planned to purchase Mr. Cooper for $9.4 billion, with the deal still pending. Rocket also recently closed another bid to purchase Redfin, with the explicit aim of expanding across the end-to-end real estate cycle.
Mr. Cooper, which claims to be the single largest servicer in the country, is a major part of that plan.
How the ongoing lawsuit might affect Rocket isn’t clear. A representative from Rocket did not respond to a request for comment on the ruling.
According to the lawsuit, Mr. Cooper customers have faced everything from scam calls and texts, to compromised bank accounts. Many were not current customers, but Mr. Cooper kept their information on file, allegedly ignoring best practices for both security and privacy. Plaintiffs also claim that data was sold on the “dark web” even after Mr. Cooper allegedly made an eight-figure payment to the hackers.
In June of 2024, a cybercriminal group known as Wockstar offered to sell source code allegedly used in the data breach for $50,000 in Bitcoin, according to the lawsuit, and even after the initial attack, Mr. Cooper stored sensitive information “in a careless manner,” including on an openly accessible Google Cloud “storage bucket.”
The plaintiffs also allege there was evidence of vulnerability and breaches going back years, including compromised accounts and websites that Mr. Cooper should have been aware of.
