Cloudstar discovered it was the victim of a highly sophisticated ransomware attack on July 16, 2021. Since then it has been working with a third-party forensics company to assist recovery efforts and has informed law enforcement.
“Cloudstar was recently the victim of a highly sophisticated ransomware attack. We have retained third-party experts to assist us in our recovery efforts and have also informed law enforcement,” Cloudstar President Christopher Cury told The Legal Description’s sister publication, The Title Report.
“Due to the nature of this attack, at this time our systems are currently inaccessible, and although we are working around the clock, we do not have a definitive restoration timeline,” Cury said. “We will continue to investigate this incident and provide updates to our customers as we have additional information to share.”
Tom Weyant, VP, risk management and data security, and privacy officer Alliant National Title Insurance Co., noted this is indicative of a big shift in ransomware attacks where hackers are focusing on industries’ infrastructure instead of individual companies.
“What we are seeing today is they did not attack an individual agency, they attacked the infrastructure,” he said. “When they do that it is more pervasive as far as the disruption and destruction that it causes when this happens. Resware users and others may all affected by the outage and breach. It is socially disruptive as well as industry disruptive in getting to the businesses that use Cloudstar. That is a big difference from what we’ve seen in the past but it is right in line with the direction of how ransomware attacks have been migrating.”
He said this is very similar to the Colonial Pipeline ransomware attack and the JBS meat processing attack a couple of months ago and noted that infrastructure attacks cripple an industry and have wide-spread implications and demand much larger ransom payment.
In an update on its website July 18, 2021, Cloudstar stated, “Due to the nature of this attack, at this time our systems are currently inaccessible, and although we are working around the clock, we do not have a definitive restoration timeline. Our Office 365 mail services, email encryption offering and some support services are still fully operational.
“Cloudstar has retained third-party forensics experts Tetra Defense to assist us in our recovery efforts and also informed law enforcement,” the update stated. “Negotiations with the threat actor are ongoing. Additionally, we have informed all of our customers and are committed to helping them through this and working in the best interest of the industry. We will continue to investigate this incident and provide updates to our customers as we have additional information to share.”
In additional FAQs, Cloudstar noted that though it is working around the clock, it does not have a definitive timeline for the restoration of its systems. It also cannot make any conclusive statements about data exfiltration.
For agencies that may be impacted by the attack, Weyant said there are five key steps they should take. The first is to know what their state breach law requires. He said all states are different in terms of the timeline, and what triggers certain reporting requirements and to whom to report.
“And you have to stay in close contact with Cloudstar if that is your service provider,” Weyant said. “They’ll give you an estimate on what is going on and when systems and operations may resume. Any attack can take days to several weeks for the service provider to come online. At this point we don’t have a hard and fast estimate on when they may be back in business.
“The other reason to stay in touch with them is because you are going to need a root cause analysis that they are obligated to provide you,” he added. “You may need that for several things. Number one, to provide to your state. You may need to provide it to your insurance carrier or to your legal department. It’s important to stay in close touch with them and get that root case analysis and post mortem once things settle down.”
Weyant also noted it’s important to understand your insurance coverage. If a partner or client gets breached or you can’t conduct business, he said cybersecurity insurance may cover your downtime and any business disruption losses.
“You’ve got to get in touch with your insurance carrier, your legal team and let all of your internal and outside stakeholders know this happened and provide them with facts and details as they are received,” he said.
Weyant said this is also a time to reassess your own security, making sure you have things like multifactor authentication and strong passwords to access systems and applications, making sure encryption is deployed for emails as well as any data at rest.
What should you do about closings that are scheduled for this week? Weyant said agents should notify all parties that were scheduled and plan to move those out accordingly, being up front and factual in explaining why the closing must be rescheduled.
“The best thing at this point for most of our agents is to stay calm, wait for the facts to come in and to reschedule and prioritize those closings that were to happen this week,” he said.
“As of right now, unfortunately because it was such a disruptive attack, many folks are in the same situation, just waiting for details,” Weyant said. “That is always the hardest part.”