Home title and insurance company First American Financial yesterday confirmed it notified 41,638 people about a December 18, 2023 data breach that compromised names and state-issued ID card numbers (e.g. driver’s license numbers).
FAF on May 21, 2024 disclosed (PDF) the breach to the SEC. That report stated approximately 44,000 individuals’ personal data might have been accessed without authorization. Yesterday, the notification was posted to the Maine Attorney General website, which says 41,638 people were affected.
No group has claimed responsibility for the breach as of time of writing. We don’t yet know whether a ransom was demanded, how much it was, whether FAF did/will pay it, or how attackers breached FAF’s network.
FAF responded to Comparitech’s questions with the following statement:
“First American’s investigation into its December 2023 cybersecurity incident conducted with leading external cybersecurity experts found that an unauthorized party may have accessed certain personal information.
First American will provide appropriate notifications to potentially affected individuals and offer those individuals credit monitoring and identity protection services at no cost to them.
First American takes this incident and the security of information in our care seriously and has further strengthened its already-robust network security.”
We recommend victims take advantage of the free credit monitoring and identity theft restoration services offered by FAF via Experian. Note that you must enroll by September 30, 2024.
Ransomware attacks on the financial sector
According to our data, 91 financial organizations were hit by ransomware in 2023, affecting 18,660,098 records. So far this year we’ve tracked 21 ransomware attacks affecting 17,182,154 records. The huge figure for 2024 stems primarily from the attack on LoanDepot in January, which affected over 16.9 million people.
Throughout 2023 and so far in 2024, the average ransom in the finance industry is $4.3 million. The highest ($200m) was demanded from the Bank Syariah Indonesia after LockBit hit its systems in May 2023. It refused to pay.
LoanDepot refused to pay its $6m demand from ALPHV/BlackCat, but the incident cost it $14.7 million (net of expected insurance recovery). At the time of its last 10-Q filing (PDF), FAF had received approximately $15 million in reimbursements from its cybersecurity insurers.
So far this year, we’ve also tracked 132 unconfirmed attacks on the financial industry.
About First American Financial
Founded in 1989, FAF sells title insurance and settlement services for real estate mortgages. It’s a fortune 500 company with 19,000 employees and more than $6 billion in annual revenue, according to external sources.
This isn’t FAF’s first cyber attack. In May 2019, the company leaked 885 million mortgage-related documents dating back to 2003. That data included bank account numbers, mortgage and tax records, Social Security numbers, and other private information.
