Incident & Breach Response , Security Operations

Fidelity National Financial Details LoanCare Breach

1.3 Million Customers Notified of Breach; BlackCat Ransomware Group Claimed Credit
Fidelity National Financial Details LoanCare Breach
Fidelity National Financial notified 1.3 million customers that hackers had stolen their data. (Image: Shutterstock)

Mortgage industry giant Fidelity National Financial confirmed that a November 2023 hacking incident compromised personal information pertaining to 1.3 U.S. million customers.

See Also: 13 Essential Criteria to Consider For Cyber Resilience in IR & SoC Teams

"We determined that an unauthorized third-party accessed certain FNF systems, deployed a type of malware that is not self-propagating and exfiltrated certain data," the real estate title insurance and transaction service provider said in a Tuesday regulatory filing.

"At this time, we do not believe that the incident will have a material impact on the company," it told investors. It didn't detail what type of information attackers had stolen or the malware they had used. The Jacksonville, Florida, company reported 2022 revenue of $11.4 billion.

The data breach affected LoanCare, a fully-owned subsidiary based in Virginia Beach, Virginia.

The ransomware-as-a-service group Alphv, aka BlackCat, took responsibility for the attack. Several weeks later, law enforcement disrupted the ransomware group's operations.

Following the attack on LoanCare, first detected on Nov. 19, Fidelity National Financial said it "took containment measures such as blocking access to certain of our systems resulting in varying levels of disruption to our businesses."

At the time, a real estate broker told Real Estate News that her homebuying clients were having trouble closing on their houses - and not just via LoanCare. She said FNF had told her that it also temporarily shut down systems for other subsidiaries, including Alamo Title, Chicago Title, Commonwealth Land Title and National Title of New York.

LoanCare isn't the only mortgage industry firm to have recently suffered a serious hack attack and data breach. Last October, a hack attack against Texas-based mortgage lender Mr. Cooper led to the theft of information pertaining to 14.7 million individuals, comprising every one of the firm's current and former customers.

On Thursday, hackers infiltrated non-bank mortgage lending giant LoanDepot's network and accessed and encrypted data, the company first said on Monday. "We have taken certain systems offline and are working diligently to restore normal business operations as quickly as possible," it told customers in its latest breach update, issued the same day.

LoanCare Customers Notified

Fidelity National Financial on Tuesday said it has finished alerting the approximately 1.3 million customers affected by its LoanCare breach and is offering them prepaid credit monitoring, web monitoring and identity theft detection services. The company said it has also notified all applicable state attorneys general and other regulators and that law enforcement is continuing to probe the breach.

FNF said it has been named as a defendant in multiple lawsuits as a result of the breach.

One proposed class action lawsuit, filed last month in the U.S. District Court for the District of Central California by a LoanCare client, accuses Fidelity National Financial and its subsidiary of having "failed to take reasonable measures to secure its system."

The complaint states: "The data breach itself and information defendants have disclosed about the breach to date, including its length, the need to remediate defendants' cybersecurity and the sensitive nature of the impacted data, collectively demonstrate defendants failed to implement reasonable measures."

FNF said it "will vigorously defend itself against any litigation filed related to the incident."


Based largely on FNF's SEC filings, here is a timeline for the hack attack and the company's recovery:

  • Nov. 19, 2023: FNF said it had detected an intrusion and launched an investigation, bringing in third-party experts.
  • Nov. 20: This is the last confirmed date attackers accessed FNF's network.
  • Nov. 21: FNF said in an SEC filing that during its breach response, it had blocked access to some services, including ones tied to "title insurance, escrow and other title-related services, mortgage transaction services, and technology to the real estate and mortgage industries."
  • Nov. 22: The Alphv/BlackCat ransomware-as-a-service group took credit for the attack, hedged about whether it had stolen any data, and criticized FNF for hiring Google Cloud's Mandiant incident response group to investigate.
  • Nov. 26: The breach was "contained," FNF said.
  • Dec. 6: Operations at FNF were fully restored.
  • Dec. 13: The digital forensic investigation concluded.
  • Dec. 20: Fidelity National Financial began notifying affected customers and applicable state attorneys general and regulators.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.