Charlottesville Settlement: Data Breach Affects 22,041

Charlottesville Settlement Company, a locally owned real estate title and settlement agency based in Charlottesville, Virginia, disclosed a data breach that affected approximately 22,041 individuals in the United States.

The breach affected not only Charlottesville Settlement Company but also its affiliated settlement companies. Those affiliates are Shenandoah Settlement Services LLC (now trading as High Crest Settlement) and Freedom Settlement Services LLC (formerly trading as Seven Hills Settlement). These entities are collectively referred to as CSC in the company's notification to consumers.

The breach was disclosed to the Maine Attorney General on March 18, 2026, with 19 Maine residents identified as affected. Charlottesville Settlement Company discovered the breach on March 10, 2026, and began notifying consumers in writing on March 18, 2026.

What happened in the Charlottesville Settlement Company data breach

According to the company's notification to consumers, an unknown actor gained unauthorized access to the company's network on Sept. 2, 2025. Two days later, on Sept. 4, 2025, Charlottesville Settlement Company observed unusual activity within its network environment.

Upon discovering this activity, the company took steps to secure its environment and engaged external cybersecurity experts to conduct an investigation. The goal of the investigation was to determine what happened and whether any data within the company's environment may have been impacted.

Through that investigation, the company learned that the unauthorized actor potentially accessed and acquired certain files. Some of those files may have contained personal information belonging to consumers.

Following the investigation, the company undertook a comprehensive review of the potentially impacted data. It then worked to verify the affected information and confirm mailing addresses for impacted individuals to ensure it had the most up-to-date contact information.

At this time, the only confirmed type of information exposed include names. However, the company's notification to consumers indicated that additional personal data elements may have varied by individual.

Charlottesville Settlement Company's response to the breach

CSC is offering affected individuals complimentary credit monitoring and identity theft protection services through IDX, which it described as a data breach and recovery services expert. The IDX identity protection services include credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy and fully managed identity theft recovery services.

Affected individuals can enroll through the IDX portal using the enrollment code provided in their written notification letter. They can also call 1-888-201-4078 to enroll or ask questions. The deadline to enroll in these complimentary services is June 18, 2026.

IDX representatives are available for 90 days from the date of the notification letter. They can be reached Monday through Friday from 9 a.m. to 9 p.m. Eastern Time, excluding major U.S. holidays. According to the company's notification, IDX representatives are fully versed on this incident and can help answer questions consumers may have regarding the protection of their information.

Steps to take if your information was exposed

• Review account statements and credit reports closely. Look for any unfamiliar or suspicious activity and report it promptly to the financial institution or company where the account is maintained.
• Request free credit reports at AnnualCreditReport.com from each of the three major credit reporting agencies: Equifax (1-800-525-6285), Experian (1-888-397-3742) and TransUnion (1-833-799-5355).
• Consider placing a fraud alert on credit files by contacting any one of the three major credit reporting agencies, which will then notify the other two.
• Consider placing a credit freeze on credit files with each of the three credit reporting agencies to prevent new accounts from being opened without authorization.
• Be cautious of phishing attempts that reference Charlottesville Settlement Company, its affiliated companies or this breach by name, as scammers may try to exploit the situation through fake emails or letters.
• Report any suspected identity theft to local law enforcement, the relevant state attorney general or the Federal Trade Commission at 877-438-4338.