The verdict is in — the old way of doing business is over. Join us at Inman Connect New York Jan. 23-25, when together we’ll conquer today’s market challenges and prepare for tomorrow’s opportunities. Defy the market and bet big on your future.

Mortgage lender loanDepot is the latest big real estate company to be targeted by hackers, disclosing Monday that it had “shut down certain systems” after discovering an unauthorized third party accessed its systems and encrypted some of the company’s data — a tactic employed by ransomware groups that have targeted more than 1,000 companies and organizations.

In a Securities and Exchange Commission filing, loanDepot said it had “recently identified a cybersecurity incident” which it “promptly took steps to contain … including launching an investigation with assistance from leading cybersecurity experts, and began the process of notifying applicable regulators and law enforcement.”

LoanDepot declined to provide Inman more specific information on when the security breach occurred, or whether the company has received a ransom demand. But clients began complaining Friday on the social media site X, formerly Twitter, that they were unable to access the site to perform basic tasks like paying their mortgage.

Lawrence Abrams, the owner and editor-in-chief of BleepingComputer.com, posted a screenshot over the weekend in which loanDepot’s social media account on X informed a client on Saturday, Jan. 6, that the company was “experiencing a cyber incident, which is affecting our phone lines. We are working diligently to return to normal business operations as soon as possible.”

The nation’s two largest title insurers — Fidelity National Financial and First American Financial — were forced to shut down their systems after similar security breaches in November and December, and mortgage servicing giant Mr. Cooper last month notified nearly 15 million past and current customers that their personal information may have been compromised in an October data breach.

Fidelity National Financial (FNF) has said it discovered on Nov. 19 that an unauthorized third party had accessed some of its systems and acquired credentials and data. FNF said the incident was contained on Nov. 26 and has not commented on reports that the company was the target of a ransomware attack exploiting a software vulnerability in Netscaler, Citrix Bleed.

An FNF subsidiary, mortgage loan subservicer LoanCare LLC, has notified more than 1.3 million homeowners that hackers may have gained access to personal information including their name, address, Social Security number and mortgage loan number during the cyberattack on its parent company.

First American Financial has been gradually restoring business operations following a cybersecurity breach that knocked its website offline on Dec. 20, with the company’s AgentNet platform for title agents coming back online on Dec. 29.

The First American network, including the company’s employee email system, was restored on Jan. 3, and its IgniteRE platform for residential real estate professionals was back online the following day, according to updates posted on the company’s website.

First American Exchange Company websites FirstExchange.com and InvestEagle.com also came back online on Jan. 4, First American said.

A ransomware group known as Blackcat, ALPHV or Noberus, has allegedly infiltrated the computer networks of more than 1,000 victims, “including networks that support U.S. critical infrastructure,” the Department of Justice and FBI warned in a Dec. 19 bulletin.

In an advisory issued the same day, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) detailed steps companies should take to protect against ransomware attacks.

Get Inman’s Mortgage Brief Newsletter delivered right to your inbox. A weekly roundup of all the biggest news in the world of mortgages and closings delivered every Wednesday. Click here to subscribe.

Email Matt Carter

Mortgage subservicer Loancare informed authorities that the data of about 1.3 million customers was compromised following a cyberattack in November on its parent company, the big four title firm Fidelity National Financial (FNF). This data includes customers’ social security numbers. 

The company informed officials in Maine and California that 1,316,938 customers had information accessed by hackers during the incident. However, it stated the firm has “not identified any fraudulent use of your personal information as a result of this incident.” 

“Based on our investigation, we understand that your name, address, social security number, and loan number may have been obtained by the unauthorized third party,” the document states.

On Nov. 19, FNF said it suffered a “cybersecurity incident” that led the system to shut down some of its networks, causing disruptions to its title insurance, escrow and other title-related services, as well as mortgage transactions. 

The infamous ransomware gang AlphV/BlackCat claimed to be behind the attack. In an online post, the gang wrote that Fidelity was “ruined” for hiring incident responders, allegedly from Google‘s Mandiant unit.

FNF notified law enforcement authorities and implemented certain measures to assess and contain the incident. The firm said the incident was contained after about one week. 

However, the company became the target of a class action lawsuit alleging that they were negligent with customer data and that they breached their contract. The suit was filed by Teneika Tillis, a Loancare servicing client, in the U.S. District Court for Central California. 

Tillis said she filed the suit “upon information and belief” that her personal identifiable information had been compromised in the attack.

Per the documents filed in Maine and California, the companies have secured Kroll‘s services to provide identity monitoring services at no cost to customers for 24 months. 

Other companies that were also the target of cyberattacks over the last few months include Mr. Cooper and First American. 

Related