When loanDepot announced that it was the victim of a cybersecurity incident in early January, it became the fourth publicly traded mortgage or title firm to absorb an attack in as many months.
“There has absolutely been an increase in cyber security incidents,” said Alex Hamlin, the chief information security officer at Qualia, a digital real estate closing platform. “I think cybersecurity today is different than it used to be. We are no longer dealing with the amateur hackers of the [1990s] that are mostly just exploring and having fun and defacing websites. We are dealing with professionals who absolutely do this for a living.”
The recent spate of high-profile cybersecurity incidents kicked off with a data breach at nonbank mortgage lender and servicer Mr. Cooper. According to documents filed with the Securities and Exchange Commission (SEC), the breach exposed the data of 14.6 million current and customers, including 32,000 reverse mortgage customers. Information exposed by the breach included customer bank account numbers, names, addresses, phone numbers and Social Security numbers.
About two weeks later, “Big Four” title firm Fidelity National Financial was hit with a ransomware attack in which data belonging to 1.3 million customers was stolen. Ransomware gang BlackCat(ALPHV) claimed responsibility for the attack. Title firm First American was the next target, getting hit with an attack the week before Christmas. The company has yet to disclose exactly how many customers were impacted by the breach, but it has announced that data was stolen.
As 2023 turned to 2024, hackers remained busy, infiltrating LoanDepot just four days into the new year. According to SEC filings, the hackers accessed the data of 16.6 million customers.
“I remember when I first started this job — I loved it because nobody knew what we did, so nobody ever attacked title companies,” said Bruce Phillips, the chief information security officer at WEST, a WFG company.
“But then you started seeing people trying to steal data. And then along came the ransomware people, and then Cloudstar happened. Through that, they found out about this thing called mortgage and title, and they realized that they have a ton of consumer data. And they thought they should put those firms on the list of places to attack, and now it looks like it is our turn.”
Hamlin added that the mortgage and title industries could be viewed as “more acceptable to hack” than other industries.
“A few years ago when ransomware really started kicking off, the professional hackers were not so discriminate in their targets,” Hamlin said. “They were attacking hospitals and other places that were leading to loss of life, and that enlisted a very, very strong government response, whereas attacking our industry isn’t great, but it leads to just a loss of livelihood and not a loss of life, so it is almost more palatable in that way.”
These four high-profile attacks have caught the attention of mortgage and title professionals across the country. Many are wondering what they could be doing to prevent and prepare for an attack.
Many cybersecurity professionals say that accepting the inevitability of a cyber incident is the first step firms need to take.
“It is no longer a question if you are going to be impacted by one of these attacks, either directly or peripherally, but when you are going to be impacted,” said Stephen Millstein, whose firm Certified Title Corp. was impacted by the Cloudstar ransomware attack in July 2021.
In addition to accepting what industry professionals feel is inevitable, cybersecurity experts stress the importance of protecting passwords and training employees on basic security principles.
“Almost all of these types of attacks tend to come through an individual as the initial gateway,” said Tyler Adams, the CEO of CertifID, a wire fraud protection company.
Experts say hackers obtain login information through phishing scams or even self-serve password reset tools. Experts recommend using tools such as multifactor authentication (MFA) or password managers to better protect login information.
“The leading sources of breaches are reused passwords across many sites,” Hamlin said. “The top tool that is being underutilized is a password manager, which is a tool that makes it very easy by automatically generating a random, secure password for every site you visit, and it automatically fills it in for you when you go to a site. So, you only need to remember the password for the password manager and then it takes care of the rest.”
Some believe the mortgage and title industries may even see a movement toward Fido keys instead of passwords.
“Fido Keys are USB keys that serve as a token to enable the user to securely obtain access to certain sites or platforms, as MFA codes could be stolen if someone’s email or phone is hacked,” Adams said.
In addition to better protecting login information, cybersecurity experts say that firms should carefully regulate who has access to certain portions of their system.
“People should only have access to what they need,” said Shawn Fox, the director of sales and marketing at IT firm Premier One. “Many times, we walk into systems that we are not managing, and we see that the CEO or a director has a global admin role or a domain admin role. And they should absolutely not have these roles.
“Those roles ought to be unique and used for specific purposes. It should not be the account that you are using for your daily activity, and it should be extremely limited to just the people that need it.”
Besides improving general password and security practices, cybersecurity experts stress the importance of having a business continuity plan and an incident response plan. Business continuity plans consist of the procedures a firm needs to take to close off the hacked system, as well as how they plan to access and upload their backups, so that they are able to continue operating their business.
“What information security has been over the past five or 10 years is a purchase decision — you are buying something that makes you more secure. What we see now is that you can’t buy security,” said Kevin Nincehelser, the chief operating officer at Premier One. “You can’t purchase security and suddenly be more secure. It requires effort.”
According to Millstein, having a plan is just the half of it.
“It is easy to say, ‘Oh, we’ll just rely on our backup,’ but do you have access to that backup, and is it secure and do you know how to get it online? You have to actually rehearse it to make sure it works. You have fire drills at buildings and schools because you want to make sure you actually know how to get out of the building,” Millstein said. “You don’t want to say that you have a plan and never rehearse. You have to actually check and see if the things that you put in place work.”
When the Cloudstar attack occurred, Millstein assumed his firm would have access to its backups, but what he didn’t realize was that these backups were also stored on Cloudstar and subjected to the ransomware attack. Now, Millstein says he knows where the backups are located, and he and his team regularly practice how to get them up and running.
In addition to backups, cybersecurity experts also stressed the importance of having a cyber insurance policy.
“A good cyber insurance policy can really help for some of these types of attacks that we are seeing,” Adams said. “It obviously doesn’t prevent the event from occurring, but it at least gives you a safety net if the worst-case scenario were to occur.”
Cyber insurance policies typically protect firms in the event of a data breach, cyber incident, ransomware attack, wire fraud incident or a natural event, such as a solar flare, that shuts down the company’s ability to do business.
But not all carriers cover all types of events, and some may put price caps on how much they are willing to cover for certain types of events. The industry has also struggled in recent years as some carriers have left the cyber insurance arena.
“People are definitely leaving, but cyber insurance is still new,” said Justin Reinmuth, the founder of The Technology Risk Underwriting Group. “It is something that really started hitting the mainstream in 2019 or 2020, and I think a lot of carriers got into it thinking it would be like homeowners insurance. And then they realized that if they collect a dollar, they are going to be paying out three, and that is hard to sustain. “
For those that are staying in the business, Reinmuth said it is most common to see carriers sub-limiting coverage by, for example, offering $1 million in coverage on non-major areas and less on major areas. They also may create additional exclusions to the policy form.
Given the risks associated with coverage, it is not surprising that cyber policies can cost a pretty penny, but Adams feels they are worth it.
“Cyber insurance might be a bit more expensive than companies are prepared for or expect, but you have to think about your top priorities and how you value your business, because a cyber policy could be the difference between having a business or not,” he said.
Reinmuth also noted that many carriers help clients with their incident response plans.
“The insurance carriers have forensics, PR people, general counsel, so you are really buying knowledge and a group of vendors that will help you in these situations instead of having to pull everything together yourself and find the vendors you want to work with,” Reinmuth said.
In the most recent onslaught of cybersecurity attacks, incident response and external communications were a hot topic as many impacted professionals, as well as consumers, were displeased with how little the firms disclosed about the incidents.
In a LinkedIn post announcing the cybersecurity incident at First American, one disgruntled homebuyer commented: “We wired in full payment for a home that was supposed to close last week. Now our funds are not accessible and we are on track to miss our close date.” In another comment, a home seller said they had been waiting on disbursement for six days.
Some of these frustrated clients at First American, as well as the three other firms, have taken action by filing class-action lawsuits over alleged negligent handling of personal data. But according to Fox, a firm’s silence during a cyber incident shouldn’t necessarily be viewed negatively.
“Oftentimes when there is a security incident, the first step is to shut things off, so it doesn’t metastasize,” Fox said. “So, while the initial perception is bad, I look at that from the outside and say that if they had a plan in place and identified that there is some security event or issue, and they immediately shut things down and started their process of recovery and evaluation, that is actually a really good sign.
“The worst thing they could do is continue operating business as usual and just ignore it and allow it to continue to grow in terms of impact.”
Phillips added that some of the silence may be due to the advice and involvement of federal law enforcement.
“Silence might also be because a firm is trying to protect themselves in the event of a class-action lawsuit,” Phillips said. “But the problem is, if you stay quiet, you aren’t helping anyone, because how many of us are going to have the same problem and not be able to learn from your experience?”
Phillips added that publicly traded companies are also subject to certain disclosure requirements from the Securities and Exchange Commission, which he said is both good and bad.
“The good part of it is that we are getting more information about the breaches sooner. We aren’t getting good information about them, but we are getting confirmation that a breach occurred,” Phillips said. “But once again, I think informing consumers that something has happened that could potentially impact them might be a good thing.”
With the inevitability of a cybersecurity incident, industry professionals suggest that firms create a “culture of security.”
Adams said creating this culture is important as it will help a firm respond to the issue faster.
“You need to have a culture of security, so that if something happens, employees are willing to talk to someone about it and aren’t afraid that they will immediately get in trouble,” Adams said.
As Certified Title has worked to recover from the Cloudstar incident, Millstein said the company has spent significant time working on effective communication and stressing the importance of overall cybersecurity precautions.
“If someone sees an email come in and it looks suspicious, we communicate with each other and make sure everyone knows that if they see an email like this not to open it,” Millstein said. “We work much more as a team now to protect ourselves from opening anything or engaging with any suspicious actors.
“My office manager will also send everybody reminders to be careful that this stuff is out there every day. No one in the office wants to be the person who opens the email that shuts the whole company down, so we’ve gone from almost this complacency, where people didn’t really think about it, to their heightened level of awareness. And we are hypervigilant to make sure that we aren’t opening things we shouldn’t be.”
Millstein said he and his employees are so vigilant about security because he doesn’t think they could deal with another attack.
“It was so horrible,” he said. “If anyone needs motivation, just imagine what it would be like to wake up and find out that you can’t access any of your data, and that you can’t reconcile your escrow accounts, can’t close loans, can’t fund loans. And if you think about that, then you’ll be a lot more careful about how you go about your business.”
