Inman

Title insurer First American and many subsidiaries remain offline

The verdict is in — the old way of doing business is over. Join us at Inman Connect New York Jan. 23-25, when together we’ll conquer today’s market challenges and prepare for tomorrow’s opportunities. Defy the market and bet big on your future.

Title insurance giant First American Financial and some of its subsidiaries remained offline Tuesday after a cybersecurity incident prompted the company to isolate its systems from the internet on Dec. 20.

The outage has derailed closings and generated a wave of complaints about the lack of communication from the company, which, through a temporary website, has released scant details about the cybersecurity incident or the prospects for getting the company up and running again.

As of Tuesday afternoon — the day after Christmas — no new bulletins had been posted on the temporary website, FirstAmUpdate.com, since Dec. 22, when First American warned clients to be wary of fake emails because it had taken its email system offline.

In a Securities and Exchange Commission filing the same day, First American said it was “working diligently” to restore systems it had taken offline, but could not estimate “the duration or extent of the disruption at this time.”

The First American Financial Corp. family of companies, which includes First American Title Insurance and First American Title Guaranty, is collectively the nation’s second-largest title insurer.

First American also provides settlement services, data products, valuation services, mortgage subservicing, and banking and wealth management services through nearly two dozen subsidiaries, many of which were also offline Tuesday.

One subsidiary, DataTrace Information Services, notified customers in a Dec. 22 LinkedIn post that the company had experienced a cybersecurity incident, had taken “certain systems offline,” and was “working to return to normal business operations as soon as possible.”

“I guess that explains why no response to emails the last two days,” replied the owner of a title abstract service in Farmingdale, New York.

A provider of real estate title data, technology, managed services and automation, DataTrace’s website remained offline Tuesday.

Another First American subsidiary whose website was down Tuesday, valuation technology firm ACI, last week reposted a Dec. 21 LinkedIn notice by First American Title that it had experienced a cybersecurity incident and had taken “certain systems offline.”

“The lack of information you have put out is ridiculous,” one Florida appraiser replied to that LinkedIn post. “I am an appraiser and ACI Web has been down over 36 hours at this point. Just some kind of information would be nice.”

The website of First American Trust, a provider of wealth management services with $4 billion currently under management, also remained out of commission on Tuesday. On LinkedIn, First American Trust also reposted First American’s Dec. 21 cybersecurity incident report.

The website of ServiceMac LLC, a First American subsidiary that collects monthly mortgage payments and refinances mortgages on behalf of lenders and investors, was also down Tuesday, with no information about an outage posted on LinkedIn.

First American subsidiaries that were up and running Tuesday included Republic Title of Texas, and Endpoint, First American’s digital title and settlement services subsidiary.

The nation’s largest title insurer, Fidelity National Financial (FNF) discovered on Nov. 19 that an unauthorized third party had accessed certain systems and acquired credentials and data. FNF hasn’t commented on reports that it was the victim of a ransomware attack, reporting only that a cybersecurity incident was discovered on Nov. 19 and contained on Nov. 26, with operations restored by Dec. 6.

FNF loan subservicer LoanCare LLC recently disclosed to regulators that hackers may have gained access to the personal information of more than 1.3 million clients, including names, addresses, Social Security numbers and mortgage loan numbers during the cyberattack on its parent company.

Loan servicing giant Mr. Cooper has disclosed that between Oct. 30 and Nov. 1, hackers gained access to the personal information of nearly 15 million current and past customers including Social Security numbers, dates of birth and bank account numbers.

A ransomware group known as Blackcat, ALPHV or Noberus, has allegedly infiltrated the computer networks of more than 1,000 victims, “including networks that support U.S. critical infrastructure,” the Department of Justice and FBI said last week.

In a Dec. 19 advisory, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) detailed steps companies should take to protect against ransomware attacks.

Get Inman’s Mortgage Brief Newsletter delivered right to your inbox. A weekly roundup of all the biggest news in the world of mortgages and closings delivered every Wednesday. Click here to subscribe.

Email Matt Carter