Cyberattack Disrupts Mortgage Payments for Millions of Mr. Cooper Customers

Mr. Cooper, one of America’s largest nonbank mortgage loan servicers, suffered a cyberattack last week that disrupted loan payments and other transactions for millions of customers.

The company, based in Coppell, Texas, said in a regulatory filing last week that it was attacked on Oct. 31. A notice on its website said Mr. Cooper “took immediate steps to lock down our systems” — which prevented customers from making online loan payments or gaining access to their account information.

The company said Monday afternoon that it had restored its system for accepting online payments. The notice also pointed customers toward options for making payments by phone, mail, Western Union or MoneyGram.

“Mr. Cooper customers and customers whose loans we service on behalf of our clients who have tried or need to make payments will not incur fees, penalties or negative credit reporting as we work to fully resolve this issue,” a company spokesman said in a written statement.

Mr. Cooper, formerly known as Nationstar, services mortgage loans for 4.3 million customers.

Since the attack, customers have been hammering its social media accounts with complaints. “I made a rather large payment yesterday and can’t even get a confirmation,” one person wrote on X, the site formerly known as Twitter. Another said he was desperate for help from the company in advance of a foreclosure scheduled for this week.

The company said on a website it set up to provide information about the incident that it was “truly sorry” for the disruptions.

Mr. Cooper said it was still trying to determine if customer data had been stolen. The company did not offer an estimate on when it would be able to fully restore its data systems.

In its regulatory filing last week, Mr. Cooper said it did not think the attack would have a “material adverse effect” on its operations or finances. But on Tuesday, Stephen Lynch, a senior credit officer at the credit rating business Moody’s Investors Service, said that Moody’s was monitoring the incident and that its impact would “depend on duration of the disruptions, ensuing potential reputational damage and magnitude of the breach.”

The Federal Trade Commission recently finalized a rule requiring nonbank financial institutions to notify the agency within 30 days of a data breach affecting 500 or more customers. Samuel Levine, the director of the commission’s Bureau of Consumer Protection, said the disclosure requirement — which will take effect next year — would “provide companies with additional incentive to safeguard consumers’ data.”