Nearly a year has passed since the Cloudstar ransomware attack and Stephen Millstein says he still feels “something like PTSD” whenever he thinks about what went down that dreadful mid-July weekend.
Millstein’s title firm, Certified Title Corporation, founded in 1994, was one of the hundreds of firms impacted by the cyber attack on the cloud storage provider.
“They essentially housed our entire business,” Millstein said. “I have compared it to waking up one morning and discovering that you have no credit cards, no passport, no ID, no cell phone — nothing. And then how do you go about reestablishing yourself when you have nothing to build from?”
At the time of the attack, Millstein and Certified Title Corporation had been with Cloudstar for 10 years. The digital storage provider housed all of Certified Title’s data and hosted the firm’s subscription to ResWare, its closing software of choice.
“It was like Certified Title never existed,” he said.
At the time of the attack, Cloudstar operated six data centers in the U.S. and served more than 42,000 users, according to the American Land Title Association. The attack left hundreds of title companies and lenders unable to conduct transactions or close loans.
For Milstein and many others in the title industry, the attack served as a wakeup call that even their encrypted cloud storage providers were not safe from security threats.
“We got a phone call Friday morning around 10 telling us that they were having a problem related to ransomware, but they didn’t offer any real information,” Millstein said. “Ransomware was a new word to me in the context of it actually affecting me — I had heard it on the news, but this was the first time it meant something to my life. Initially, I didn’t think too much of it and figured that by Monday things would be right as rain.”
Over the course of the weekend, Millstein realized he was wrong.
“We did ultimately get our data back from Cloudstar, but it took months for that to happen,” he said.
Title shrugged
Bruce Phillips, the senior vice president and chief information security officer at west, a WFG company, was about to get on his tractor Saturday morning when he received a phone call from WFG’s general counsel. Some of the independent title insurers the firm contracts out to were having an issue.
“Once we realized what was going on, it was really eye opening because it wasn’t the companies themselves that were compromised, it was an underlying service provider,” Phillips said.
Adding to the stress of the situation is what Phillips and Millstein both describe as a total lack of communication from Cloudstar.
“I was lucky and got a call from Cloudstar Saturday afternoon and the guy who called me just told me that it was really bad and said that I would still have a problem come Monday,” Millstein said. “But from the other title firms I have spoken with it doesn’t sound like anyone else got a phone call.”
Millstein never heard directly from Cloudstar again after that Saturday afternoon call, and as far as Phillips knows, none of the independent firms he works with received any notice or updates of what was going on.
“There was zero information,” Phillips said. “I was reaching out to all of my contacts trying to find out as much as I could because the Cloudstar customers were getting zero information and the ones I have talked to since have still not gotten good clarity on what happened. I think the lack of communication to the affected parties was the worst part of it for many.”
As a result, Cloudstar customers were forced to rely on press statements published on the cloud service provider’s website.
The final update came in October, when Cloudstar announced that the third-party forensics experts it had brought in to conduct the investigation and assist in data recovery efforts, Tetra Defense, had finished its investigation, allowing the service provider to onboard new clients and welcome back those who had temporarily left.
If one were to visit Cloudstar’s website today however, they would see an Ayn Rand quote that reads: “I started my life with a single absolute: that the world was mine to shape in the image of my highest values and never to be given up to a lesser standard.”
Cloudstar then wrote: “The dawn of a new Cloudstar is upon us. Check back soon as we architect a robust future where technology safely enables the exchange of commerce. To our loyal customers, we thank you for your continued support and look forward to servicing your information technology needs.”
Preparedness
The lack of clarity on Cloudstar’s website feels frighteningly on brand for a firm that suffered an attack, where a year has passed, and no one knows who carried out the attack and how they bypassed Cloudstar’s security systems.
“I do security for a national underwriter,” Phillips said. “I feel like I need to understand what happened. It is not about finger pointing, it is about finding out how it happened so we can build better defenses for future attacks. I mean within weeks information was out about the SolarWinds attack and this has been a year and we have nothing.”
Even before the Cloudstar attack, security and preparedness were top of mind for Phillips.
“The advice we have been giving everybody is to think about business resilience and what the worst case scenario might look like and how you can recover from that,” he said.
Reggie Davis, the general counsel at closing software provider Qualia, said that backups are key.
“I’m a big believer that you don’t want to have a lot of heroic efforts when it comes to security,” Davis said. “You want to have good people, processes and policies behind the scenes. We also encourage people to do business continuity disaster recovery planning and training, so that we don’t just have backups, but we know how to go access them and bring them live because the last thing you want to be doing it bringing up a backup for the first time when you think you’ve got a denial of service attack or some kind of problem going on.”
In the wake of the attack, Qualia, whose services were not affected, offered firms impacted by the hack free access to its Qualia Core system for three months (many firms, like Certified Title, did not have access to their closing software because it had been stored within Cloudstar). Premier One, a cloud storage and IT solutions provider, also offered its services to the title insurers impacted by the attack.
According to Kevin Nincehelser, the chief operations officer of Premier One, firms that had business continuity plans (BCP) were better prepared.
“We provide segregated, individual environments for companies instead of having one big environment that is shared by everyone, so there is an added layer of security through that,” Nincehelser said. “Compared to a year ago or two years ago, we have seen an exponential rise in both the volume and sophistication of attacks, so maintaining a high level of security – it really [was] a moving target, but having a BCP, even if it is just one page, can make a huge difference.”
Millstein said that talking about the attack is difficult for him, he says that he knows that it is good to talk through it all, and he counts himself and Certified Title as one of the lucky ones who made it through the attack, as some of the smaller title firms ended up shutting down as a result. Millstein also acknowledged that although the wounds caused by the attack still feel fresh, he is now able to see things from a different perspective.
“For me the better story is the flip side, which is the collaborative effort of the people in our industry who rallied to save us,” he said. “It was amazing to see. If I am fortunate enough to stay in business for another 30 years, those people will still have my loyalty because without a doubt we would not have survived this without them.”
