A national trade association has disclosed a data breach that allegedly took place following a successful phishing attack.
On 3 July, the American Land Title Association (ALTA) said that the security incident affected title and settlement company usernames and passwords. It also noted that it first learned about the data breach on social media. As quoted in its security alert
A person claiming to be an ethical hacker contacted ALTA via Twitter and provided files that contain approximately 600 data entries consisting of domain identification, IP addresses, usernames and passwords. The data contains information for non-title companies as well.
ALTA, which serves as the voice of over 6,000 title insurance agents, abstracters and underwriters, clarified how it didn't find any evidence indicating that this data shared by the ethical hacker originated from a specific system breach. Additionally, it explained that it had discovered no indicators of bad actors having misused those leaked credentials.
At this time, ALTA is still investigating the information disclosure. It announced that it will contact specific title and settlement companies should it find specific data linking the breach to those entities.
This isn't the first time that phishers have targeted the national trade association. Back in May, for instance, ALTA warned
of a phishing campaign where fraudsters sent out attack emails using the subject line "Changes & Updates to Member Directory." The body of each email asked recipients to open an attached PDF under the guise of verifying their information stored within ALTA's membership directory.
In response to this latest instance, ALTA is urging title and settlement companies to require their staff to change their passwords. It's also recommending that these entities update their software and operating systems as well as scan their systems for malware. They can accomplish these tasks within the context of a robust vulnerability management program
and using an advanced malware detection solution
Title and settlement companies should also invest in the preparedness of their staff against phishing attacks. To do this, they should familiarize their employees with some of the most common phishing campaigns. Here's a great resource for them to start