Consumer Electronics Daily was a Warren News publication.
BlackCat Ransomware Attack

Class Action Seeks to Hold FNF, LoanCare Liable for November Data Breach

December 14, 2023 by Paul Gluckman|Top News

Fidelity National Financial (FNF) disclosed Nov. 21 it was the victim of a preventable ransomware attack that “virtually froze” all the company’s activities, “leaving people buying and selling homes, or paying mortgages, confused and uncertain of what was going to happen to their properties and money,” alleged plaintiff Teneika Tillis’ class action Tuesday (docket 5:23-cv-02537) in U.S. District Court for Central California in Riverside.

Soon after FNF disclosed the attack, the ransomware group BlackCat listed FNF on its dark website, “effectively claiming responsibility for the cyberattack, and pressuring FNF into paying a ransom to restore operations,” said the complaint. Because the data breach compromised Tillis’ sensitive personal information, she and the class “have been placed in an immediate and continuing risk of harm” from fraud, identity theft and related harm, it said.

FNF and its LoanCare subsidiary “had prior notice of their inadequate data security procedures and practices,” said the complaint. In August 2022, LoanCare, which provides “subservicing services” on more than 100,000 loans for 90 companies in all 50 states, notified customers of a data breach affecting their sensitive personal information, including credit card numbers and security codes, the complaint said.

As a result of FNF's and LoanCare's negligence, Tillis and the class “will be required to continue to undertake time-consuming and often costly efforts to mitigate the actual and potential harm” caused by the data breach, said the complaint. This includes efforts to mitigate the breach’s exposure of their personal information, including by placing freezes and setting alerts with credit reporting agencies, monitoring credit reports and accounts for unauthorized activity and changing passwords on “potentially impacted websites and applications,” it said.

As a condition of receiving loan servicing and other mortgaging services, FNF “collects and requires that its customers turn over highly sensitive personal information,” said the complaint. FNF knew it needed to protect the privacy and safeguard the sensitive personal information of Tillis and the class members, “and further committed to holding its partners and affiliates, like LoanCare, to the very same privacy protection standards it follows,” it said.

FNF and LoanCare “purposefully obtained and stored” personal information of Tillis and the class and knew or should have known of the serious risk and harm caused by a data breach, making them “obligated to implement reasonable measures to prevent and detect cyberattacks,” said the complaint. These include measures recommended by the FTC, data security experts and other agencies, it said.

The court should issue injunctive relief requiring FNF and LoanCare “to employ adequate security protocols consistent with industry standards to protect its users’ data,” said the complaint. If an injunction isn’t issued, Tillis and the class “will suffer irreparable injury and lack an adequate legal remedy in the event of another breach” of the FNF and LoanCare data systems, it said.