Cloudstar still has no “definitive restoration timeline” for its cloud-hosting systems that were taken out by a ransomware attack on July 16. It also said “it is too early to speculate about what data may have been impacted” or information breached, according to a July 19 post on its website.
The company hired third-party forensics experts Tetra Defense to help in recovery efforts and contacted law enforcement. “Negotiations with the threat actor are ongoing,” the company posted.
Cloudstar operates six data centers in the U.S., serving more than 42,000 users, according to the American Land Title Association (ALTA). The attack on one of the industry’s main cloud-hosting providers left hundreds of title companies and lenders unable to conduct transactions or close loans, revealing how vulnerable the title space is to cybercriminal attacks.
“These criminals go where the money is,” Silicon Title founder and CEO Nicholas Chavez said in an interview with The Title Report. “One of the largest transactions that someone who lives in the United States will make is the purchase of a home, so that’s a fantastic target for cybercriminals.”
Chavez, who earned a master’s degree in cybersecurity from Brown University, said most of the time, those in the title industry are the victims of a “man in the middle” attack, where the criminal pretends in a spoofed email, often via a spoofed IP address or DNS server, that they are someone else (like the Realtor, mortgage broker, banker or title agent) and say that wiring instructions have changed, telling the buyer to wire their money to a fraudulent account.
Ransomware attacks involve holding a company’s information hostage until a ransom is paid, usually in cryptocurrency. The title industry is an attractive target, Chavez said, because they store massive amounts of personal data like Social Security numbers, banking information, and tax records digitally.
“Title companies, banks, and other financial services companies are primarily software companies and information brokers now,” he said.
It’s not known yet what type of ransomware attack Cloudstar experienced. Chavez said one type involves the criminals essentially locking the company out of its own servers and information until ransom is paid.
Another is far more sinister. “They basically say, ‘We’re going to encrypt files so that way you can’t back them up or access them, but if you don't do what we say in 72 hours, we’re going to expose the data someplace on the open internet,” he said.
If that were to happen in the Cloudstar case, the chain reaction would be far-reaching, Chavez said. An attack at the cloud-hosting provider could involve data from the title agency, the underwriter, banks, real estate offices, property and casualty insurance providers, and the buyer and seller. It would also affect several different states, all of which have different data privacy laws. California and New York have some of the strictest.
“Given the total number of clients that Cloudstar serves, and the extent of the U.S. population concentration in New York and California, it is very possible that we will see some cascading second- and third-order consequences if the attack results in a data breach,” Chavez said.
Prevention is the best defense against cyberattacks, said Bruce Phillips, senior vice president and chief information security officer at WEST, a WFG company. To protect themselves, title companies and agents need a comprehensive plan in place, he told The Title Report.
“This includes creating and implementing an Incidence Response Plan, as well as putting fail-safes in place to ensure that they have access to their data and systems on at least a limited basis during times of crisis,” he said. “These systems and data sources should be independent of the company’s main systems and data storage providers, as well as directly accessible. Data protection techniques such as data encryption should also be implemented.”
Sensitive data should be copied to an offline backup system outside of the title company’s other service providers and inaccessible through those providers, Phillips added.
“By implementing this safeguard, title companies can prevent cybercriminals from accessing their backup files during a ransomware breach and ensure that they have direct access to their own data following a breach,” he said.
“Before loading backup data into their operating systems, title companies need to confirm that their operating system has not been compromised or corrupted as well,” Phillips said. “As a fallback, they should also have a standalone copy of their operating system that they can load onto a desktop computer along with their backup data source, so nothing is entirely inaccessible or lost. This will enable them to continue working following an attack, albeit at a slower pace.”
Also, team members need to be trained to identify phishing attempts and other malicious tactics, Phillips said.
It’s also crucial that title agencies work with outside companies that have cybersecurity experts on their management teams, Chavez said.
“IBM reports the average cost of a data breach in the United States is $8.64 million. With this type of financial risk, it is absolutely imperative that a company have competent cybersecurity leadership in the form of a chief information security officer or at the very least someone who has been formally educated in cybersecurity with a seat at the board level, especially for financial services and insurance companies,” he said.
Offering help
Many title and technology companies have stepped up to offer their services to help those left without access to their title and escrow production systems.
Mid South Title tweeted that its office is unaffected by the Cloudstar attack and that it’s willing to assist title agents in Tennessee or Louisiana that may need help.
Generes & Associates, the only authorized Landtech reseller in the U.S., invited affected Landtech users who need temporary online facilities or processing help to complete transactions to contact them for assistance.
SoftPro, RamQuest and Qualia are also offering help to affected title companies.
“Qualia is offering Qualia Core at no cost, on a temporary basis, to assist Cloudstar customers in regrouping and recovering operational capacity during this critical period,” Qualia CEO Nate Baker said in a post on the company’s website.
Qualia Core, which includes workflows, accounting, and reporting, is available to affected Cloudstar customers at no cost and with no ongoing commitments for three months, Vice President of Marketing Matt Kaufman told The Title Report.
“We've increased our onboarding capacity to help manage the surge and have already had several onboardings that are already opening orders,” Kaufman said July 19.