Title corporations step in to assist victims of Cloudstar ransomware assaults

Companies across the range of mortgage billing services are pulling together to help Cloudstar customers get back up and running after a ransomware attack that crippled one of its largest providers.

Cloudstar, which acts as a container for the data generated by the title production software, was shut down by the attack on July 16. It is unknown how many closings could be affected, however, according to information on the American Land Title Association website, Cloudstar has six data centers in the US with more than 42,000 users.

"We hired outside experts to help us with our recovery efforts, and we've also informed law enforcement agencies," said a Cloudstar spokesman. "Due to the nature of this attack, our systems are currently inaccessible and although we are working 24/7, we do not have a definitive schedule for recovery."

When news of the attack broke out, a broad segment of the industry responded with "some of the thought leaders who were just sitting down and saying, 'Okay, let's see how we can handle this'" so that the Mortgage closings can continue, said Tom Cronkright, CEO of data security firm CertifID.

The shutdown has impacted CertifID's integrations with some of the title production software managed or hosted by Cloudstar. CertifID provides a secure web application that allows title agents and consumers to reconfirm wiring instructions and ensure money is safe to send, Cronkright said.

With Cloudstar still down, "we – and other organizations – were just trying to offer alternative options so these agents could keep doing business," said Kevin Nincehelser, COO of Premier One, a competitor to Cloudstar, which also has a container which contains the information created in title production software such as ResWare, SoftPro, Qualia, and others.

By the end of the day on July 20, Premier One will have 10 agents and 426 users back online in an expedited process, he said. For example, when the agency uses ResWare, it usually takes a five to eight week planned process to get them on board, he said.

While Premier One hopes to continue doing business with these agents after the Cloudstar restore is complete, it is not necessary, Nincehelser said. "When they have turned to us, we will help them either way."

Premier One, like others, including title insurers, are doing their best to help with the recovery effort.

"We don't go out and about looking for Cloudstar customers and trying to take advantage of them, but we just know there are business owners and agents who still can't work," said Nincehelser. "That's why we want to give them a system that is up and running as quickly as possible so they can keep their business going."

Premier One's cloud technology is Microsoft Azure. Earlier this year, Cloudstar offered free migrations away from Microsoft Azure to its dedicated private cloud environment. That explains the difference in the structure of the two, said Nincehelser.

"We offer a dedicated hosting environment for each customer, separate and separate from every other customer, while Cloudstar is a shared hosting platform that combines multiple companies in the same infrastructure, the same environment, but with unique passwords and credentials be. "he said.

Increase security

The attack shows the continued interest of cyber criminals in targeting real estate transactions.

"We saw it in the early days [of cybercrime] with spoofing and wire fraud and some data breach," said Cronkright. "But it is precisely this that shows a concerted effort to disrupt the real estate transaction process."

The money and amount of personal data associated with real estate transactions make billing services companies a particularly attractive target for cyber criminals, said Ike Suri, chairman and CEO of FundingShield, another data security firm.

"Based on our data from the first quarter, one in three transactions was classified as risky and the numbers for the second quarter will be released shortly, but show that the risk climate has only increased due to various elements that we independently review and validate."

In the past, the Consumer Financial Protection Bureau stated that mortgage lenders are responsible for the activities of their sellers and even the seller's subcontractors.

"This attack also sheds light on the regulatory scrutiny that third-party providers and third-party service providers will be subject to, according to recent comments from various bodies," said Suri. "Best practices need to be reviewed to ensure that failover, backup, and dual hosting models are in place and that security processes and controls are intact."

A year ago, the Federal Bureau of Investigation reported 2,474 ransomware attacks, up from 2,047 in 2019 and 1,493 in 2018. The fraud cases in 2020 resulted in associated losses of $ 29.1 million, but that's likely a significant minority since it does not include estimates of the cost of lost business, time, wages, files, equipment, or other third party remediation services, the FBI stated in its annual IC3 report.

"In some cases, victims do not report the amount of the loss to the FBI, resulting in an artificially low overall loss rate of ransomware," the report said. "After all, the number only represents what the victims report to the FBI through the IC3 and does not take into account the direct reporting of the victims to the FBI field offices / agents."

ALTA is the main supporter of the Coalition to Combat Real Estate Fraud. Business email compromise, which has historically been the number one cybercrime concern for billing services, is usually a one-time attack in which a person is usually the victim, but the reported financial losses are much greater than with ransomware. Ransomware gets more media attention because it affects a wider audience, stressed Cronkright.

"On a broader level, this really highlights the need for additional security measures and I can speak for title and agreement in particular," he said. The entire industry, lenders and processing service providers, must “take an offensive approach to a more defensive cybersecurity approach”.

Related Articles