• Ransomware group BlackCat has targeted Florida-based Fidelity National Financial (FNF), a major title insurance provider, accessing systems and obtaining credentials. 
• FNF has launched an investigation, engaged cybersecurity experts, informed law enforcement, and taken steps to contain the incident.
• BlackCat, also known as ALPHV, confirmed its responsibility for the attack on FNF via its deep web blog. The group criticized FNF’s hiring of cybersecurity firm Mandiant and threatened further action if FNF did not engage with them.
• This attack follows BlackCat’s recent breach of Florida’s First Judicial Circuit, where they claimed to have accessed personal data and network maps.

Ransomware group BlackCat has claimed responsibility for a cyberattack on Jacksonville-based real estate title insurance provider Fidelity National Financial (FNF), a Fortune 500 company, marking the group’s second major strike against Florida-based entities in recent weeks.

In a filing with the Securities and Exchange Commission, Fidelity “became aware of a cybersecurity incident” on Nov. 19 culminating in an unauthorized third party accessing certain FNF systems and acquiring credentials.

“FNF recently became aware of a cybersecurity incident that impacted certain FNF systems,” the company reported in its filing. “FNF promptly commenced an investigation, retained leading experts to assist the Company, notified law enforcement authorities, and implemented certain measures to assess and contain the incident. Among other containment measures, we blocked access to certain of our systems, which resulted in disruptions to our business.”

BlackCat, which alternatively goes by ALPHV, confirmed on its leak blog — accessible only by deep web browser Tor — that it was responsible for the ransomware attack. While remaining relatively mum on details, the hacking outfit took aim at FNF’s hiring of cybersecurity firm Mandiant. FNF is currently unable to be contacted due to its media page being partially incapacitated.

“Hiring Mandiant has the following effects,” the group wrote in its blog post. “Before disclosing whether or whether we have collected any data, we will allow FNF further time to get in touch. I implore FNF investors to talk some reason into these executives who are gullible enough to fall for Mandiant’s disinformation.”

Last month, BlackCat claimed responsibility for a cybersecurity breach of Florida’s First Judicial Circuit, comprised of Escambia, Okaloosa, Santa Rosa, and Walton counties. Per the group, it gained access to personal data and a network map of the court’s systems with local and remote service credentials. In its blog post following the judicial circuit breach, BlackCat threatened to leak 2 terabytes of confidential information.

“Proof of leakage. Full data coming soon, we have 2TB,” wrote the group alongside a file upload.

When the breach was first detected on Oct. 2, the First Judicial Circuit stated that it significantly affected operations across the circuit, impacting courts in all four counties for an extended period with additional disruption to email and phone services.

Amid a rash of recent statewide cybersecurity attacks, Rep. Mike Giallombardo introduced legislation this month that would protect counties, municipalities, commercial entities, and third-party agents from liability in the event of a cyberattack, provided they comply with designated cybersecurity standards.

The core of the bill requires that the included entities align with established cybersecurity frameworks, such as those from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). Compliance requirements vary based on the size of the entity and the sensitivity of the data they handle.

Entities under specific regulations, like those bound by the Health Insurance Portability and Accountability Act (HIPAA), would be required to tailor their cybersecurity measures to meet these regulations, should the bill be adopted.

“A sole proprietorship, corporation, association, or other commercial entity that acquires, maintains, stores, or uses personal information is not liable in connection with a cybersecurity incident if the entity substantially complies with [cybersecurity frameworks],” reads the bill.