Title firms swoop in to help victims of Cloudstar ransomware attack

Companies across the mortgage settlement services spectrum are pulling together to help Cloudstar clients get back up and running following aransomware attack that has shut down one of its largest providers.

Cloudstar, which acts as a container for the data generated by title production software,was shut down on July 16 by the attack. It is unknown how many closings could be affected, however, Cloudstar has six data centers in the U.S., with more than 42,000 users, according to information on the American Land Title Association website.

"We have retained third-party experts to assist us in our recovery efforts and have also informed law enforcement," a Cloudstar spokesperson said. "Due to the nature of this attack, at this time our systems are currently inaccessible, and although we are working around the clock, we do not have a definitive restoration timeline."

NMN072021-Cloudstar

Once the news of the attack broke, a broad segment of the industry responded, with "some of the thought leaders just getting together saying, 'OK, let's see how we can work through this,' " so mortgage closings can go forward, said Tom Cronkright, CEO of data security company CertifID.

The shutdown has affected the integrations that CertifID has with some of the title production software managed or hosted by Cloudstar. CertifID is providing a secure web application that allows title agents and consumers to reconfirm the wiring instructions and make sure that money can be transferred safely, Cronkright said.

Because Cloudstar is still down, "what we've been doing — and other organizations as well — is just scrambling to provide some kind of alternative options so that so that these agents can keep doing business," said Premier One COO Kevin Nincehelser, a competitor to Cloudstar that also provides a container where the information created on title production software such as ResWare, SoftPro and others resides.

By the end of the day on July 20, Premier One will have brought 10 agents and 426 users back online in an expedited process, he said. If the agency uses ResWare, for example, it normally takes a five-to-eight-week planned process to bring them on board, he said.

While Premier One hopes to continue doing business with these agents after Cloudstar's recovery is complete, it is not requiring it, Nincehelser said. "If they've reached out to us we are going to help them either way."

Premier One, like others, including title insurance underwriters, are doing their best to help in the recovery effort.

"We're not actively going out and seeking Cloudstar clients and trying to profit from this, but we just know that there are business owners and agents out there who still can't work," Nincehelser said. "And so we want to provide them a system that's functional as quickly as possible so they can maintain their businesses."

Premier One's cloud technology is Microsoft Azure. Earlier this year, Cloudstar was offering free migrations away from Microsoft Azure to its dedicated private cloud environment. That explains the difference in the way the two are structured, Nincehelser said.

"We provide a dedicated hosting environment for each client, which is separate and segregated from any other client, whereas Cloudstar is a shared hosting platform where multiple businesses all kind of combined into the same infrastructure, the same environment but with unique passwords and credentials," he said.

Qualia is also coming to the aid of title agents who are Cloudstar customers by offering Qualia Core, its cloud-based title and escrow production system, at no cost. Qualia acquired ResWare's parent company in December.

Ramping up security

The attack illustrates cybercriminals’ continued interest in targeting real estate transactions.

"We saw it in the early days [of cybercrime] in spoofing and wire fraud and some data breaches," Cronkright said. "But this one in particular shows more of a concerted effort to disrupt the real estate transaction process."

The money and the amount of personally identifiable information involved in real estate transactions make settlement services companies a particularly attractive target for cybercriminals, said Ike Suri, chairman and CEO of FundingShield, another data security company.

"Per our data from the first quarter, one in three transactions was deemed high-risk and the second quarter numbers are forthcoming but show that the risk climate has only increased based on various items we independently verify and validate."

In the past, the Consumer Financial Protection Bureau declared that mortgage lendersare responsible for the activities of their vendors, and even the vendor's subcontractors.

"This attack also sheds light on the regulatory scrutiny that third- and fourth-party service providers will be under per recent comments coming from various bodies," Suri said. "Best practices will need to be vetted to ensure that fail over, backups and dual hosting models are in place and security processes and controls are intact."

A year ago, the Federal Bureau of Investigation reported 2,474 ransomware attacks, up from 2,047 in 2019 and 1,493 in 2018. The fraud cases in 2020 generated $29.1 million in associated losses, but that is likely a significant undercount, as it doesn't include estimates of the costs from lost business, time, wages, files, equipment or any third-party remediation services, the FBI declared in its annual IC3 report.

"In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate," a note in the report said. "Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents."

ALTA is the primary backer of theCoalition to Stop Real Estate Wire Fraud. Business email compromise, which heretofore had been the primary worry regarding settlement services cybercrime, is normally a one-off attack in which an individual is typically the victim, but the reported financial losses are much greater than in ransomware. Ransomware gets more attention in the media because it affects a broader constituency, Cronkright pointed out.

"At a broader level this really is highlighting the need for additional measures in the security space and I can speak for title and settlement in particular," he said. The entire industry, lenders and settlement service providers, must "take a more offensive cybersecurity approach versus defensive."

For reprint and licensing requests for this article, click here.
Mortgage fraud Originations Mortgage technology Digital mortgages Underwriting
MORE FROM NATIONAL MORTGAGE NEWS