First American Financial Corporation, a California-based financial company, suffered a ransomware attack and shuttered some of its subsidiaries.
On 21 December, the site announced that: First American has experienced a cybersecurity incident. In response, we have taken certain systems offline and are working to return to normal business operations as soon as possible.
As a preliminary response, the company said First American’s email systems had been offline. ‘Anyone who received an email that appears to be from First American, First American Title or from FirstAm.com needs to be aware of the potential for cybersecurity risks and not to click on any links in the email.’ But the First American Securities report had updated.
The company posted a notification on 25 February at www.SEC.gov, which states in part: Following is a filing made by First American Financial Corporation (the ‘Company’) with the Securities and Exchange Commission on 22 December: [C]ompanies discovered unauthorised access on certain information technology systems. The Company immediately took action to contain, assess and remediate the incident. On Dec 20, 2023, the Company decided to separate systems from the internet.
Further, ‘The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time.’ The Company has retained leading experts, is working with law enforcement and notified certain regulatory authorities. During the disruption, the Company’s primary website may be inaccessible or inoperative.”
After nearly one week, on December 29, the Company has begun restoring access to its systems and resuming normal business operations. According to the Company, although the investigation is still ongoing, the perpetrator accessed certain company systems, exfiltrated data, and encrypted data on some non-production systems. In the meanwhile, the company was successful in bringing up the websites of title solutions provider DataTrace and ACI, a valuation technology subsidiary.
In the recent updates, First American Financial Corporation stated that their PRISM marketing and automation toolkit for title agents as well as First American’s AgentNet platform for title agents is back online.
A temporary site is being used to post status updates about First American Financial’s disruption.
Cyber Attacks on First American Financial
It is not the first time First American has been attacked by cybercriminals.
Following a vulnerability in its proprietary EaglePro application (which First American uses to upload consumer data), First American was getting aware in May 2019 of a cybersecurity breach. It had to pay nearly $500,000 settling with SEC in 2019.
In addition, KerbonSecurity broke a revelation in May 2019 that “The website for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003 until notified this week by KrebsOnSecurity. The cybersecurity violation settlement relating to the 2019 breach and exploitation of consumer non-public information led First American to pay $1 million to the New York DFS in late November.
Ransomware Attacks on the Title Industry
The title industry has endured more than its share of security glitches, whether through the 2021 ransomware attack against the cloud storage provider Cloudstar or the one in early January, when the ransomware group Hello Kitty knocked Fidelity National Financial offline for part of a week.
It follows a ransomware attack in November on that company, which shut down Fidelity National Financial for several days. Chuck E Quinday, a spokesman at Fidelity National Financial, told me this month that the cyberattack delayed some actual closings for a period but that the company was still assessing the ‘financial ramifications’ of the attack.
An AlphV/BlackCat group allegedly carried out the alleged ransomware attack. Fidelity has not confirmed that a ransom demand has been paid. CISA has released a cyber security advisory on ALPV/Blackcat ransomware to allow organizations to take necessary measures to mitigate the threat of ransomware attacks.
For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.