The nation’s biggest title insurer continues to be tight-lipped about whether a cybersecurity incident that disrupted closings last month was a ransomware attack exploiting the Citrix Bleed vulnerability in Netscale, the suspected avenue for more recent attacks affecting dozens of credit unions.
Kicking off a “fireside chat” hosted by investment banking firm Keefe, Bruyette & Woods, Fidelity National Financial (FNF) CEO Mike Nolan said the company continues to “analyze affected data and to further assess our notification obligations.”
FNF has “cyber insurance with a $10 million retention, and the period of time that customers experienced disruption was relatively brief, as a portion of that time was over the Thanksgiving holiday weekend,” Nolan said.
After reading a short statement, Nolan said FNF does not plan “to comment further on any of the details related to the incident at this time.”
“While it is hard to predict any long-term effects, in my view, this incident does not change the long-standing competitive advantages and value-add that FNF provides to its customers,” Nolan said.
FNF had previously reported that on Nov. 19, it discovered an unauthorized third party had accessed certain systems and acquired credentials and data and that the incident was contained on Nov. 26.
In a Nov. 29 update to investors, FNF reported that it was “restoring normal business operations and is coordinating with its customers.” On Wednesday, Nolan said, “We have since resumed normal operations.”
FNF has provided few other details and has not responded to requests for comment from Inman and other news media outlets. However, warnings by security agencies and clues picked up by cybersecurity experts have led to speculation that FNF was hit by a ransomware attack, and may have paid a ransom to hackers to regain access to its systems.
Agencies including the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory on Nov. 21 warning of a software vulnerability, Citrix Bleed, that’s been exploited by “multiple threat actor groups,” including LockBit 3.0 and affiliates.
Citrix publicly disclosed the vulnerability in an Oct. 10 security bulletin, which issued guidance, detailed affected products and recommended fixes.
Kevin Beaumont, a UK-based cybersecurity researcher, has concluded that FNF patched Citrix Bleed — but not before the company’s systems were compromised.
Ransomware groups including LockBit 3.0 and affiliates have become “the world’s top ransomware threat,” targeting more than 1,700 American organizations in industries including financial services, food, schools, transportation and governments, Reuters recently reported.
Big companies that have been hit this year include Boeing, ION and the Industrial & Commercial Bank of China this year.
In the latest incident, operations at about 60 credit unions have been disrupted in the wake of a Nov. 26 ransomware attack on a cloud services provider Ongoing Operations, which is owned by the credit union technology firm Trellance, The Register reported Saturday.
The Register, a publication for information technology professionals, had previously reported that a ransomware group known as ALPHV (BlackCat) claimed responsibility for the FNF attack on Nov. 22.
Beaumont, the UK-based cybersecurity researcher, has concluded that Ongoing Operations also failed to patch the Citrix Bleed vulnerability in Netscale after it was discovered, blogging Monday that Citrix Bleed “has become the cybersecurity challenge of 2023.”
In addition to title and escrow services, FNF facilitates the production and management of mortgage loans through its ServiceLink subsidiary, mortgage loan subservicing through subsidiary LoanCare, and 1031 exchanges through IPX1031.
Get Inman’s Mortgage Brief Newsletter delivered right to your inbox. A weekly roundup of all the biggest news in the world of mortgages and closings delivered every Wednesday. Click here to subscribe.