Hackers stole data from more than 1.3 million Fidelity National Financial (FNF) customers when the giant real estate services firm was hit with a ransomware attack in November 2023 that shut down the company’s operations for a week.

According to a K-8 filing this week with the U.S. Securities and Exchange Commission, FNF executives wrote that “an unauthorized third-party accessed certain FNF systems, deployed a type of malware that is not self-propagating, and exfiltrated certain data.”

The company wrote that it completed its investigation of the attack December 13 but didn’t give much detail in the SEC filing about the nature of the breach, what kind of information was stolen, though it did say it is providing 24 months of credit and web monitoring and identity theft restoration services from financial advisory firm Kroll to those effected.

However, in a notice with the state of Maine, LoanCare – a company bought by FNF in 2009 that services mortgage loans for banks and other financial services organizations – said that Social Security numbers were taken by the attackers.

In addition, FNF executives in the SEC filing said they are still working with law enforcement, customers, and regulators and that the cyberattack shouldn’t have a material impact on its operations.

They also noted that FNF is facing several lawsuits in relation to the cyberattack, adding that it will “vigorously defend itself against any litigation filed related to the incident.”

Attack in November

The company, which has almost 29,000 employees, said it discovered an intrusion into some of its system November 19 and that it finally contained the incident November 26. The last evidence of hacker activity in its systems was November 20.

After detecting the unauthorized activity, the FNF kicked off an investigation and brought in outside cybersecurity experts for help. Executives also notified law enforcement and regulatory agencies. The company blocked access to certain systems, which they said disrupted some operations.

There were reports of people and companies unable to complete transactions, such as mortgage payments and house purchases, during the time those systems were down.

BlackCat Claims Responsibility

The high-profile ransomware group BlackCat – or ALPHV – claimed responsibility for the attack and listed FNF on its dark web data leak site, though the company has since been removed in a possible sign that a ransom had been paid.

The Russia-linked group has been among the most active ransomware-as-a-service (RaaS) gangs in recent years. According to the Justice Department (DOJ), BlackCat has claimed more than 1,000 victims, including financial services firms as well as schools and healthcare organizations, and collecting hundreds of millions in paid ransoms.

In late December, the DOJ and FBI said it took down the RaaS group’s online operations and created a decryptor tool that could help more than 500 victims reclaim their encrypted files.

Financial Services Firms Targeted

The financial services industry continues to be an attractive target for ransomware and other threat groups. According to a report by cybersecurity firm Sophos in July 2023, the number of ransomware attacks in the sector has jumped in recent years, from 34% of financial services organizations surveyed in 2021 falling victim to 64% last year, thanks in part to the widespread hack of a vulnerability in Progress Software’s MOVEit file transfer tool by the Cl0p ransomware operation starting in May 2023.

As of this week, 2,730 organizations and more than 94.2 million people were affected by breaches using the MOVEit tool, according to cybersecurity firm Emsisoft.

Other financial services firms that have been hit with recent data breaches include mortgage lender loanDepot, which this month in a SEC filing disclosed a ransomware attack in which the bad actors accessed some systems and encrypted data.

Another mortgage firm, Mr Cooper, said in a filing with the state of Maine last month that a security breach in October 2023 that the private information of almost 14.7 million people – such as addresses, Social Security numbers, and bank account numbers – was stolen.