The verdict is in — the old way of doing business is over. Join us at Inman Connect New York Jan. 23-25, when together we’ll conquer today’s market challenges and prepare for tomorrow’s opportunities. Defy the market and bet big on your future.

Title insurance giant Fidelity National Financial says it has contained a “cybersecurity incident” and is “restoring normal business operations and is coordinating with its customers.” But the company refuses to say whether it was the target of a ransomware attack, sparking speculation that it paid a ransom to hackers.

In a Securities and Exchange Commission filing Thursday, Fidelity National Financial (FNF) notified investors that it first became aware of “a cybersecurity incident that impacted certain of our systems” on Nov. 19. The filing — which is dated Nov. 29, but was not made public until the following day — informed FNF investors that the incident was contained on Nov. 26.

FNF had previously disclosed on Nov. 21 that it had “recently become aware” of the incident, but did not provide the date. As part of its containment measures, the company said last week that it had “blocked access to certain of our systems, which resulted in disruptions to our business,” including the company’s title insurance, escrow and mortgage transaction services.

Technology FNF provides to the real estate and mortgage industries was also affected, the company said.

Based in Jacksonville, Florida, FNF is the nation’s largest title insurer, providing services through subsidiaries including Chicago Title, Fidelity National Title and Commonwealth Land Title.

In addition to title and escrow services, FNF facilitates the production and management of mortgage loans through its ServiceLink subsidiary, mortgage loan subservicing through subsidiary LoanCare, and 1031 exchanges through IPX1031.

While a cyberattack on a major player in getting homebuyers to the closing table had the potential to disrupt the real estate industry, FNF has been tight-lipped in its public statements about the causes of the incident and the extent of impacts on clients.

Reports that FNF was hit by ransomware groups that have gone after a number of big corporations have now given way to speculation that the company paid a ransom to regain access to affected systems.

The Register, a publication for information technology professionals, reported that a ransomware group known as ALPHV (BlackCat) claimed responsibility for the FNF attack on Nov. 22.

The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory on Nov. 21 warning of a software vulnerability, Citrix Bleed, being exploited by “multiple threat actor groups” including LockBit 3.0 and affiliates.

Citrix publicly disclosed the vulnerability in an Oct. 10 security bulletin, which issued guidance and detailed affected products and recommended fixes.

Kevin Beaumont, a UK-based cybersecurity researcher, has concluded that FNF patched Citrix Bleed, but not before the company’s systems were compromised by a ransomware group.

Representatives for FNF, ServiceLink and IPX1031 have not responded to requests for comment from Inman and other media outlets.

On Thursday, TechCrunch’s Lorenzo Franceschi-Bicchierai reported that the ALPHV (BlackCat) ransomware group “removed the FNF listing from its leak site on the same day that FNF published its filing saying it had contained the incident. Sometimes, when listings disappear from a ransomware gang’s websites, it means the victim may have paid the ransom.”

“Maybe FNF paid … but who knows,” Franceschi-Bicchierai posted on the social media platform formerly known as Twitter. “Meanwhile more people affected are calling and emailing me hoping I can give them answers that I don’t have because FNF has not responded to any calls and emails.”

Get Inman’s Mortgage Brief Newsletter delivered right to your inbox. A weekly roundup of all the biggest news in the world of mortgages and closings delivered every Wednesday. Click here to subscribe.

Email Matt Carter

Show Comments Hide Comments
Sign up for Inman’s Morning Headlines
What you need to know to start your day with all the latest industry developments
By submitting your email address, you agree to receive marketing emails from Inman.
Thank you for subscribing to Morning Headlines.
Back to top
Only 3 days left to register for Inman Connect Las Vegas before prices go up! Don't miss the premier event for real estate pros.Register Now ×
Limited Time Offer: Get 1 year of Inman Select for $199SUBSCRIBE×
Log in
If you created your account with Google or Facebook
Don't have an account?
Forgot your password?
No Problem

Simply enter the email address you used to create your account and click "Reset Password". You will receive additional instructions via email.

Forgot your username? If so please contact customer support at (510) 658-9252

Password Reset Confirmation

Password Reset Instructions have been sent to

Subscribe to The Weekender
Get the week's leading headlines delivered straight to your inbox.
Top headlines from around the real estate industry. Breaking news as it happens.
15 stories covering tech, special reports, video and opinion.
Unique features from hacker profiles to portal watch and video interviews.
Unique features from hacker profiles to portal watch and video interviews.
It looks like you’re already a Select Member!
To subscribe to exclusive newsletters, visit your email preferences in the account settings.
Up-to-the-minute news and interviews in your inbox, ticket discounts for Inman events and more
1-Step CheckoutPay with a credit card
By continuing, you agree to Inman’s Terms of Use and Privacy Policy.

You will be charged . Your subscription will automatically renew for on . For more details on our payment terms and how to cancel, click here.

Interested in a group subscription?
Finish setting up your subscription