Incident & Breach Response , Security Operations
Fidelity National Financial Details LoanCare Breach
1.3 Million Customers Notified of Breach; BlackCat Ransomware Group Claimed CreditMortgage industry giant Fidelity National Financial confirmed that a November 2023 hacking incident compromised personal information pertaining to 1.3 U.S. million customers.
See Also: Effective Communication Is Key to Successful Cybersecurity
"We determined that an unauthorized third-party accessed certain FNF systems, deployed a type of malware that is not self-propagating and exfiltrated certain data," the real estate title insurance and transaction service provider said in a Tuesday regulatory filing.
"At this time, we do not believe that the incident will have a material impact on the company," it told investors. It didn't detail what type of information attackers had stolen or the malware they had used. The Jacksonville, Florida, company reported 2022 revenue of $11.4 billion.
The data breach affected LoanCare, a fully-owned subsidiary based in Virginia Beach, Virginia.
The ransomware-as-a-service group Alphv, aka BlackCat, took responsibility for the attack. Several weeks later, law enforcement disrupted the ransomware group's operations.
Following the attack on LoanCare, first detected on Nov. 19, Fidelity National Financial said it "took containment measures such as blocking access to certain of our systems resulting in varying levels of disruption to our businesses."
At the time, a real estate broker told Real Estate News that her homebuying clients were having trouble closing on their houses - and not just via LoanCare. She said FNF had told her that it also temporarily shut down systems for other subsidiaries, including Alamo Title, Chicago Title, Commonwealth Land Title and National Title of New York.
LoanCare isn't the only mortgage industry firm to have recently suffered a serious hack attack and data breach. Last October, a hack attack against Texas-based mortgage lender Mr. Cooper led to the theft of information pertaining to 14.7 million individuals, comprising every one of the firm's current and former customers.
On Thursday, hackers infiltrated non-bank mortgage lending giant LoanDepot's network and accessed and encrypted data, the company first said on Monday. "We have taken certain systems offline and are working diligently to restore normal business operations as quickly as possible," it told customers in its latest breach update, issued the same day.
LoanCare Customers Notified
Fidelity National Financial on Tuesday said it has finished alerting the approximately 1.3 million customers affected by its LoanCare breach and is offering them prepaid credit monitoring, web monitoring and identity theft detection services. The company said it has also notified all applicable state attorneys general and other regulators and that law enforcement is continuing to probe the breach.
FNF said it has been named as a defendant in multiple lawsuits as a result of the breach.
One proposed class action lawsuit, filed last month in the U.S. District Court for the District of Central California by a LoanCare client, accuses Fidelity National Financial and its subsidiary of having "failed to take reasonable measures to secure its system."
The complaint states: "The data breach itself and information defendants have disclosed about the breach to date, including its length, the need to remediate defendants' cybersecurity and the sensitive nature of the impacted data, collectively demonstrate defendants failed to implement reasonable measures."
FNF said it "will vigorously defend itself against any litigation filed related to the incident."
Timeline
Based largely on FNF's SEC filings, here is a timeline for the hack attack and the company's recovery:
- Nov. 19, 2023: FNF said it had detected an intrusion and launched an investigation, bringing in third-party experts.
- Nov. 20: This is the last confirmed date attackers accessed FNF's network.
- Nov. 21: FNF said in an SEC filing that during its breach response, it had blocked access to some services, including ones tied to "title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries."
- Nov. 22: The Alphv/BlackCat ransomware-as-a-service group took credit for the attack, hedged about whether it had stolen any data, and criticized FNF for hiring Google Cloud's Mandiant incident response group to investigate.
- Nov. 26: The breach was "contained," FNF said.
- Dec. 6: Operations at FNF were fully restored.
- Dec. 13: The digital forensic investigation concluded.
- Dec. 20: Fidelity National Financial began notifying affected customers and applicable state attorneys general and regulators.