Inman

Title insurer Fidelity restoring operations after security incident

The verdict is in — the old way of doing business is over. Join us at Inman Connect New York Jan. 23-25, when together we’ll conquer today’s market challenges and prepare for tomorrow’s opportunities. Defy the market and bet big on your future.

Title insurance giant Fidelity National Financial says it has contained a “cybersecurity incident” and is “restoring normal business operations and is coordinating with its customers.” But the company refuses to say whether it was the target of a ransomware attack, sparking speculation that it paid a ransom to hackers.

In a Securities and Exchange Commission filing Thursday, Fidelity National Financial (FNF) notified investors that it first became aware of “a cybersecurity incident that impacted certain of our systems” on Nov. 19. The filing — which is dated Nov. 29, but was not made public until the following day — informed FNF investors that the incident was contained on Nov. 26.

FNF had previously disclosed on Nov. 21 that it had “recently become aware” of the incident, but did not provide the date. As part of its containment measures, the company said last week that it had “blocked access to certain of our systems, which resulted in disruptions to our business,” including the company’s title insurance, escrow and mortgage transaction services.

Technology FNF provides to the real estate and mortgage industries was also affected, the company said.

Based in Jacksonville, Florida, FNF is the nation’s largest title insurer, providing services through subsidiaries including Chicago Title, Fidelity National Title and Commonwealth Land Title.

In addition to title and escrow services, FNF facilitates the production and management of mortgage loans through its ServiceLink subsidiary, mortgage loan subservicing through subsidiary LoanCare, and 1031 exchanges through IPX1031.

While a cyberattack on a major player in getting homebuyers to the closing table had the potential to disrupt the real estate industry, FNF has been tight-lipped in its public statements about the causes of the incident and the extent of impacts on clients.

Reports that FNF was hit by ransomware groups that have gone after a number of big corporations have now given way to speculation that the company paid a ransom to regain access to affected systems.

The Register, a publication for information technology professionals, reported that a ransomware group known as ALPHV (BlackCat) claimed responsibility for the FNF attack on Nov. 22.

The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory on Nov. 21 warning of a software vulnerability, Citrix Bleed, being exploited by “multiple threat actor groups” including LockBit 3.0 and affiliates.

Citrix publicly disclosed the vulnerability in an Oct. 10 security bulletin, which issued guidance and detailed affected products and recommended fixes.

Kevin Beaumont, a UK-based cybersecurity researcher, has concluded that FNF patched Citrix Bleed, but not before the company’s systems were compromised by a ransomware group.

Representatives for FNF, ServiceLink and IPX1031 have not responded to requests for comment from Inman and other media outlets.

On Thursday, TechCrunch’s Lorenzo Franceschi-Bicchierai reported that the ALPHV (BlackCat) ransomware group “removed the FNF listing from its leak site on the same day that FNF published its filing saying it had contained the incident. Sometimes, when listings disappear from a ransomware gang’s websites, it means the victim may have paid the ransom.”

“Maybe FNF paid … but who knows,” Franceschi-Bicchierai posted on the social media platform formerly known as Twitter. “Meanwhile more people affected are calling and emailing me hoping I can give them answers that I don’t have because FNF has not responded to any calls and emails.”

Get Inman’s Mortgage Brief Newsletter delivered right to your inbox. A weekly roundup of all the biggest news in the world of mortgages and closings delivered every Wednesday. Click here to subscribe.

Email Matt Carter