Updated Jan. 4, 2024
First American posted an update stating its network, including its employee email system, has been restored. "This development allows us to resume communication through our standard business channels," the update read. "Going forward, please reach out to your First American representative for any additional information."
Updated Jan. 3, 2024
First American Trust is back online and operational.
Updated Dec. 29, 2023
First American Financial Corp. reported DataTree and DataTrace are back online, as is First American Home Warranty’s website, its ACI appraisal system, Charles Jones public records search, and FraudGuard.
First American also filed the following update with the U.S. Securities and Exchange Commission:
As disclosed in the Original Report, the Company recently identified unauthorized activity on certain of its information technology systems. Upon detection of the unauthorized activity, the Company took steps in an effort to contain, assess and remediate the incident. On December 20, 2023, the Company elected to isolate systems from the Internet. The Company has retained leading experts, worked with law enforcement and notified certain regulatory authorities.
As of the date of this filing, the Company believes it has contained the incident. The Company is in the process of restoring access to its systems and resuming normal business operations.
Though the incident is still under investigation, the Company believes the perpetrator of the activity accessed certain Company systems, exfiltrated data and encrypted data on certain non-production systems.
The Company continues to assess whether the incident will have a material impact on the Company’s financial condition or results of operations, which at this point cannot be determined.
Updated Dec. 28, 2023
First American Financial Corp.'s website has been partially restored, according an update on its landing page created for information about the incident. The update posted at 5:01 a.m. PT on Dec. 28 reads: “FirstAm.com has been restored (with some limits to functionality). We will continue to post updates on this page as we return to normal business operations.”
An update posted at 4:14 p.m. PT on Dec. 27 reads: “Our bank, First American Trust, continues to accept incoming wires, and all funds at First American Trust and our third-party partner banks remain secure.”
Original story from Dec. 22, 2023
First American Financial Corp. cannot estimate how long some of its systems will remain offline after a cybersecurity incident, the company said in a Dec. 22 filing with the U.S. Securities and Exchange Commission.
In the filing, First American said it identified “unauthorized activity on certain of its information technology systems.” The company isolated some systems from the internet after taking steps to contain, assess and remediate the incident, it stated.
“The company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time,” the filing stated. “The company has retained leading experts, is working with law enforcement and notified certain regulatory authorities.”
First American also said it is “assessing the impact of the incident and whether it may have a material impact on its financial condition and results of operations, which at this point cannot be determined.”
The disruption of service right before the Christmas holiday is being felt across the real estate industry. First American’s websites are offline across its portfolio, including First American Title, DataTrace, SafeEscrow and ACI, a major provider of appraisal software.
It’s also likely to be felt in the regulatory space, Sterbcow Law Group Managing Attorney Marx Sterbcow said.
“The regulatory environment is likely to encounter massive headwind on the title IT world in 2024-25 due to all of this. The problem is that no matter how much security you have in place, it’s not enough,” he said.
Since cybercriminals never take a holiday, it is imperative that the industry stays extra vigilant at this time of year, Premier One Sales and Marketing Manager Shawn Fox said in an exclusive interview.
“These attacks are being attempted all day long, every day. That’s the real-life pattern. The recent news of successful attacks only reflects those events which have been discovered and disclosed,” he said. “From our perspective, everyone remains a potential target, whether it's a small five-employee title company or a larger underwriter.
“Malicious actors are constantly seeking vulnerabilities to exploit. These cyberattacks, occurring during a downturn in the market, only amplify the existing pressures and stress on all parties in the transaction. As organizations seek to wind down for the year and enjoy the holiday season, there is a greater risk that those critical security checks and balances are overlooked. We urge everyone to pay close attention and be even more diligent in your efforts to stay secure as we seek to close out the year.”
One of the vulnerabilities that criminals can take advantage of is the human factor, CertifID co-founder and Executive Chairman Tom Cronkright said.
“We can have millions and millions of dollars invested in infrastructure in all the software that analyzes the email and the traffic. But it could be a simple ‘click here to get a buy one, get one photo with Santa at the nearest mall’, and all of a sudden, they have a gateway in,” he said. “That's the thing about it – you're balancing the technology side, and you're balancing the very human side.”
Fox recommends businesses operate under a “zero trust” policy, meaning don’t automatically trust any familiar user or device.
“Just because you have done business with this lender or Realtor for years doesn’t mean they haven’t been compromised. Likewise, accepting your IT administrator’s assurances of complete security should be met with scrutiny,” he said. “It’s important to read, assess, and reevaluate security measures regularly. If you are doing the same thing for IT security today that you were doing three years ago, then you are falling behind.”
Some of the more effective ways Fox suggests to mitigate risk include advanced email security services, multi-factor authentication, and a 24/7 security operations center. Also, have a plan in place for when an incident like First American faced happens.
“In today's cyber landscape, it's not a question of ‘if’ but ‘when’ a cyber event will occur. The key is preventing it from becoming a systemic issue with rapid detection and response preparation,” Fox said. “Have a plan in place for what to do when the bad guys get the best of your defenses. Ensure these components work seamlessly together by conducting thorough research on the products you implement. Remember, your employees are the initial line of defense, so prioritize their training.”
One critical thing that most companies don’t do is run through a company-wide drill of their crisis plan in case of a cyberattack, Cloudstar CEO Greg McDonald said.
“Because if you have a downtime, if you have a crisis, you better believe every single person in that company is going to be involved. Because one, they're not going to be able to work,” he said. “But two, they're probably going to be fielding phone calls if the phones are up. If an entire organization is dead in the water, every person is going to be trying to help. You don't want to get to the point where the phone is ringing, and someone doesn’t know what to do or what to say.
“There often are ways that you can help the customer, depending on their situation, in title. What is the customer calling about? Is it someone that recently closed? Is it someone that's going to close? Is it someone that is going to close today? Are they scheduled to close in a week? Or did they just hear about it and are concerned about their data? Depending on what they're calling about, you could have a script available ahead of time for everyone in every position to at least try to work through, and so simulating a catastrophe like this is really drilling it out and getting everyone involved.”
This latest cybersecurity incident is a reminder that cybersecurity has got to remain a priority, if not become a larger priority, for the title industry, Cronkright said.
“I think the intersection between wire fraud and cybersecurity is interesting, because it feels like the industry is becoming more of a focal point for the scammers,” he said. “What may have been an annual review of cybersecurity practices and the technology stack and the incident response should probably be more of a quarterly review at max. Meet with your advisors and strategists to say these are some of the trends that we're seeing, and here are the corrective measures, the proactive measures, or the reactive measures that need to be tuned up as we learn from all instances being reported.”
First American created a new landing page for updates about the incident. The first update read, “First American has experienced a cybersecurity incident. In response, we have taken certain systems offline and are working to return to normal business operations as soon as possible.”
The company also said its email system is offline and warned “any recipient of an email purporting to be from First American, First American Title or from FirstAm.com should be vigilant about cybersecurity risks and avoid clicking on unknown or suspect links.”
Related coverage:
Cloudstar CEO provides insight into data breach response after FNF incident
Ransomware attack underscores NCUA warnings about cyber risks
NYSDFS, First American reach $1 million cybersecurity breach settlement
Fidelity hit by cybersecurity incident, disrupting title operations
Stay tuned to The Title Report and The Legal Description for continuing coverage and industry insight as we learn more details about the incident.