The nation’s biggest title insurer continues to be tight-lipped about whether a cybersecurity incident that disrupted closings last month was a ransomware attack exploiting the Citrix Bleed vulnerability in Netscaler, the suspected avenue for more recent attacks affecting dozens of credit unions.

Kicking off a “fireside chat” hosted by investment banking firm Keefe, Bruyette & Woods, Fidelity National Financial (FNF) CEO Mike Nolan said the company continues to “analyze affected data and to further assess our notification obligations.”

FNF has “cyber insurance with a $10 million retention, and the period of time that customers experienced disruption was relatively brief, as a portion of that time was over the Thanksgiving holiday weekend,” Nolan said.

After reading a short statement, Nolan said FNF does not plan “to comment further on any of the details related to the incident at this time.”

Mike Nolan

“While it is hard to predict any long-term effects, in my view, this incident does not change the long-standing competitive advantages and value-add that FNF provides to its customers,” Nolan said.

FNF had previously reported that on Nov. 19, it discovered an unauthorized third party had accessed certain systems and acquired credentials and data and that the incident was contained on Nov. 26.

In a Nov. 29 update to investors, FNF reported that it was “restoring normal business operations and is coordinating with its customers.” On Wednesday, Nolan said, “We have since resumed normal operations.”

FNF has provided few other details and has not responded to requests for comment from Inman and other news media outlets. However, warnings by security agencies and clues picked up by cybersecurity experts have led to speculation that FNF was hit by a ransomware attack, and may have paid a ransom to hackers to regain access to its systems.

Agencies including the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory on Nov. 21 warning of a software vulnerability, Citrix Bleed, that’s been exploited by “multiple threat actor groups,” including LockBit 3.0 and affiliates.

Citrix publicly disclosed the vulnerability in an Oct. 10 security bulletin, which issued guidance, detailed affected products and recommended fixes.

Kevin Beaumont, a UK-based cybersecurity researcher, has concluded that FNF patched Citrix Bleed — but not before the company’s systems were compromised.

Ransomware groups including LockBit 3.0 and affiliates have become “the world’s top ransomware threat,” targeting more than 1,700 American organizations in industries including financial services, food, schools, transportation and governments, Reuters recently reported.

Big companies that have been hit this year include Boeing, ION and the Industrial & Commercial Bank of China this year.

In the latest incident, operations at about 60 credit unions have been disrupted in the wake of a Nov. 26 ransomware attack on a cloud services provider Ongoing Operations, which is owned by the credit union technology firm Trellance, The Register reported Saturday.

The Register, a publication for information technology professionals, had previously reported that a ransomware group known as ALPHV (BlackCat) claimed responsibility for the FNF attack on Nov. 22.

Beaumont, the UK-based cybersecurity researcher, has concluded that Ongoing Operations also failed to patch the Citrix Bleed vulnerability in Netscaler after it was discovered, blogging Monday that Citrix Bleed “has become the cybersecurity challenge of 2023.”

Based in Jacksonville, Florida, FNF provides title and closing services through subsidiaries including Chicago Title, Fidelity National Title and Commonwealth Land Title.

In addition to title and escrow services, FNF facilitates the production and management of mortgage loans through its ServiceLink subsidiary, mortgage loan subservicing through subsidiary LoanCare, and 1031 exchanges through IPX1031.

Get Inman’s Mortgage Brief Newsletter delivered right to your inbox. A weekly roundup of all the biggest news in the world of mortgages and closings delivered every Wednesday. Click here to subscribe.

Email Matt Carter

Show Comments Hide Comments
Sign up for Inman’s Morning Headlines
What you need to know to start your day with all the latest industry developments
By submitting your email address, you agree to receive marketing emails from Inman.
Thank you for subscribing to Morning Headlines.
Back to top
Only 3 days left to register for Inman Connect Las Vegas before prices go up! Don't miss the premier event for real estate pros.Register Now ×
Limited Time Offer: Get 1 year of Inman Select for $199SUBSCRIBE×
Log in
If you created your account with Google or Facebook
Don't have an account?
Forgot your password?
No Problem

Simply enter the email address you used to create your account and click "Reset Password". You will receive additional instructions via email.

Forgot your username? If so please contact customer support at (510) 658-9252

Password Reset Confirmation

Password Reset Instructions have been sent to

Subscribe to The Weekender
Get the week's leading headlines delivered straight to your inbox.
Top headlines from around the real estate industry. Breaking news as it happens.
15 stories covering tech, special reports, video and opinion.
Unique features from hacker profiles to portal watch and video interviews.
Unique features from hacker profiles to portal watch and video interviews.
It looks like you’re already a Select Member!
To subscribe to exclusive newsletters, visit your email preferences in the account settings.
Up-to-the-minute news and interviews in your inbox, ticket discounts for Inman events and more
1-Step CheckoutPay with a credit card
By continuing, you agree to Inman’s Terms of Use and Privacy Policy.

You will be charged . Your subscription will automatically renew for on . For more details on our payment terms and how to cancel, click here.

Interested in a group subscription?
Finish setting up your subscription