First American says perpetrator stole data in breach

When certain company systems were accessed, data was stolen by the perpetrator of the First American Financial data breach, the company disclosed on Dec. 29.

The message was in an update to its Securities and Exchange Commission filing as well as on a website First American is using to keep its customers informed about the status of its system.

"Though the incident is still under investigation, the Company believes the perpetrator of the activity accessed certain Company systems, exfiltrated data and encrypted data on certain non-production systems," the message stated.

First American said it is working with law enforcement and notified regulators.

The latest post gives a little more insight into the timeline of the incident. "Upon detection of the unauthorized activity, the Company took steps in an effort to contain, assess and remediate the incident. On December 20, 2023, the Company elected to isolate systems from the Internet," the statement said.

It was on Dec. 21 that First American made its first public statements about the incident. It was the third significant cyber security event in recent weeks, which included an attack on systems at its rival Fidelity National Financial and mortgage lender and servicer Mr. Cooper.

In the Fidelity breach, which hit its subservicing unit LoanCare, personally identifiable information was also exposed to the perpetrators.

According to the update page, FirstAm.com was restored with limits to its functionality on the morning of Dec. 28, followed later that day by First American Home Warranty, Data Tree and Data Trace. The next day, the ACI appraisal, the Charles Jones public record search and FraudGuard loan quality systems all came back online.

Later in the afternoon on Dec. 29, AgentNet and Prism marketing systems were restored.

Meanwhile, some lenders had taken unilateral actions.

In a LinkedIn post from last week, Fairway Independent Mortgage CEO Steve Jacobson, without specifying First American, said "With the recent cyber security attack on a major title company, if it impacts any closings with Fairway, we will do the following: pay for hotel rooms; pay for meals; pay for the extra storage." 

He said he assumed all mortgagees would do the same.

Separately, Citi Correspondent Lending put out a memo stating its loan review process has been impacted by the First American incident and a temporary manual workaround has been put in place,  according to independent consultant Rob Chrisman.

"At this time access to First American's systems has been restored and Citi has returned to normal processes," a spokesperson for the bank said.

Wells Fargo has "appropriate steps in an effort to limit potential impact to our customers and to support continuity in our business processes," a statement from the company said.

First American was involved in a cybersecurity incident in 2019 that ended with fines of nearly $488,000 from the Securities and Exchange Commission, and $1 million with the New York Department of Financial Services.