Fidelity National Financial, or FNF, one of the largest real estate services companies in the United States, said it “contained” a recent cyberattack that engulfed its many subsidiaries and customers in a state of chaos for more than a week.
In a filing with the U.S. Securities and Exchange Commission, FNF said the incident was now under control as of November 26. “The Company is restoring normal business operations and is coordinating with its customers,” the filing said.
On November 21, FNF disclosed it had been the victim of a “cybersecurity incident.” This virtually froze all the company and its subsidiaries’ activities, leaving people buying and selling homes, or paying mortgages, confused and uncertain of what was going to happen to their properties and money.
Do you have more information about this data breach? We’d love to hear from you. From a non-work device, contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email email@example.com. You also can contact TechCrunch via SecureDrop.
One FNF subsidiary called the incident a “catastrophe” in an automated message played to anyone who called its customer support number. Last week, a voicemail for a person who works at a FNF subsidiary said that, “Fidelity National Financial is still experiencing a system-wide outage. We do not have access to send or receive email or access to any system. We appreciate your patience.”
TechCrunch has spoken with several people affected, who said they were unable to get anyone from FNF or its subsidiaries on the phone to figure out what was happening, or get answers.
Earlier this week, a person who uses Lakeview, a company “subserviced by LoanCare,” which is an FNF company, told TechCrunch that he couldn’t access his account, and neither could people at Lakeview, whom he spoke to on the phone. On Thursday, the person shared a screenshot of an email he received from Lakeview, which said that his account was now “up and running.”
Another LoanCare customer shared the same email in a Facebook group for people impacted by the breach. Several others in the group said they had received the same email.
At this point, it’s unclear what FNF did to contain the incident.
Shortly after FNF announced the incident, the ransomware group that calls itself ALPHV (also known as BlackCat) listed FNF on its dark web site, effectively claiming responsibility for the cyberattack, and pressuring FNF into paying a ransom to restore operations.
The ransomware gang removed the FNF listing from its leak site on the same day that FNF published its filing, saying it had contained the incident. Sometimes, when listings disappear from a ransomware gang’s websites, it means the victim may have paid the ransom.
FNF did not respond to a request for comment asking the company if it disputed paying the ransom.