By Charles Joseph | Cybersecurity Researcher

 Published on December 27th, 2023

In November 2023, Fidelity National Financial (FNF), a prominent US-based insurance provider specializing in real estate and mortgage industries, fell victim to a sophisticated cyberattack. The attackers, identified as the ALPHV ransomware gang, known for their previous attacks on MGM Resorts and Caesars International, successfully breached FNF’s servers. This breach led to unauthorized access to sensitive customer data from LoanCare, a leading servicer in the US mortgage industry.

LoanCare, which manages approximately $390 billion in balances from 1.2 million loans, faced significant repercussions from this breach. The investigation revealed that the attackers exfiltrated data, potentially compromising the personal information of 1,316,938 borrowers in the U.S. The exposed data includes customer names, addresses, Social Security numbers, and loan numbers.

FNF’s Disclosure and Federal Action

Following the discovery of the breach, LoanCare took immediate action. They posted a notice on their website and informed the relevant authorities. To address the concerns of affected customers, LoanCare offered a two-year identity monitoring service through Kroll, a global leader in risk mitigation.

Fidelity National Financial, with over $11.5 billion in revenue in 2022, disclosed the cyberattack in an SEC filing, highlighting the severity of the incident. The company submitted a filing to the Securities and Exchange Commission (SEC), stating that they have initiated an investigation and engaged “top-tier experts” for assistance. They have also notified law enforcement and taken steps to evaluate and limit the impact of the incident.

The filing further noted that as part of their containment strategy, they restricted access to some of their systems, leading to operational disruptions. This impacted their services in areas such as title insurance, escrow, other title-related services, and mortgage transactions.

In response to the growing threat from the ALPHV ransomware gang, federal authorities have initiated actions to dismantle parts of ALPHV’s dark web infrastructure.

How Do We Know That the ALPHV Group Is Behind the Attack?

The ALPHV, also known as BlackCat, ransomware gang is believed to be behind the recent cybersecurity attack on Fidelity National Financial (FNF). This conclusion is based on a post made by the ransomware gang itself. In an online statement, ALPHV/BlackCat claimed responsibility for the attack on FNF, stating that the company was “ruined” for hiring incident responders, allegedly from Google’s Mandiant unit.

Fidelity had previously notified the public of the cybersecurity breach in a filing with the Securities and Exchange Commission, mentioning that they had blocked access to certain systems, leading to disruptions in various services, including title insurance, escrow, and other title-related services, as well as mortgage transactions. This attack is part of a recent trend of cyberattacks targeting large housing industry firms.

What Is the ALPHV Group?

The ALPHV group is a notorious ransomware gang recognized for its sophisticated cyberattacks. Operating on a Ransomware-as-a-Service (RaaS) model, they develop ransomware, which is then distributed by affiliates.

ALPHV is known for employing advanced techniques and customizing attacks to target large organizations effectively. They often use double extortion tactics, encrypting victims’ data and threatening its public release unless a ransom is paid. The group has a global reach, targeting entities worldwide and maintaining a presence on the dark web. Their activities have made them a significant threat in the cybersecurity landscape.

Conclusion

This cyberattack underscores the growing threat of ransomware gangs like ALPHV in the financial sector. The breach at Fidelity National Financial and its impact on LoanCare and potentially other financial institutions highlights the need for enhanced cybersecurity measures and rapid response strategies to protect sensitive customer information.