Mortgage giant Mr. Cooper using alternative payment options after cyberattack

Texas-based mortgage giant Mr. Cooper is offering customers alternate ways of paying off loans after a cyberattack on October 31.

In updated instructions on Monday, the company provided customers with several different ways to make payments, including by phone, mail service, Western Union and MoneyGram. There is also a one-time web payment option.

The company claims to have more than 4.3 million customers and is the largest non-bank mortgage servicer in the U.S. It provides servicing and originations for homeowners throughout the country and manages a servicing portfolio of $937 billion.

On Wednesday, customers attempting to log in to Mr. Cooper's website to pay their mortgages or loans were instead greeted with a message stating that the company was suffering a technical outage.

The company later reported that a cyberattack severely affected its systems. They did not respond to requests for comment about whether they are dealing with a ransomware attack.

“On October 31, Mr. Cooper became the target of a cybersecurity incident and took immediate steps to lock down our systems in order to keep your data safe. Our systems remain locked down, and we are working on a resolution as quickly as possible,” the company said on a temporary website dedicated to providing updates on the situation.

“Rest assured, you will not incur any fees, penalties or negative credit reporting related to late payments as we work to fix this issue. However, in an effort to protect systems and customer data, we've temporarily updated our available payment options.”

After discovering the attack, the IT team deployed “containment measures to protect systems and customer data, as well as shut down certain systems.”

The company added that it is investigating the incident to determine if data was stolen. If they do find that data was accessed or taken by hackers, the company pledged to provide victims with identity protection services.

Last week, the Federal Trade Commission raised concerns about cyberattacks on non-banking financial institutions and approved a new rule that will make it mandatory for them to report data breaches and security events within 30 days.