In May 2019, KrebsOn Security revealed that the website of mortgage-equity insurance giant First American Financial Corp. had exposed about 885 million records related to mortgage transactions dating back to 2003,media reported. On Wednesday, regulators in New York announced that First American was the target of its first-ever cybersecurity enforcement action in connection with the incident, and that the charges could result in huge financial penalties.
First American, based in Santa Ana, California, is a leading provider of title insurance and settlement services to the real estate and mortgage industries. The company, which employs about 18,000 people, generated $6.2 billion in revenue in 2019. Media reported last year that First American’s website exposed digital mortgage insurance records dating back 16 years – including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transfer receipts and driver’s license images.
Anyone with a web browser can obtain these files without authentication.
According to a document from the New York State Department of Financial Services (DFS), the vulnerabilities that exposed the documents were first introduced when software updates were applied in May 2014 and have not been discovered for years. To make matters worse, DFS found the vulnerability in a penetration test conducted by first U.S. company in December 2018.
“It’s worth noting that respondents instead allowed unlimited access to the personal and financial data of millions of their customers for six months until the vulnerability and its serious consequences were widely publicized by a well-known national cybersecurity industry reporter,” DFS explained in a statement about the allegations.
Reuters reported that regulators are likely to punish First America. DFS considers each disclosure of personal information to be a separate breach, and the company faces penalties of up to $1,000 per breach.
In a written statement, First America said it strongly disagreed with the DFS findings, and its own investigation determined that only “very limited” consumers — and none from New York — had accessed personal data without permission.
In August 2019, the company said a third-party investigation into the exposure identified only 32 consumers whose nonpublic personal information could be accessed without authorization.
When KrebsOnSecurity asked last year how long it maintained the access logs or how far the review took, First American declined to elaborate, saying only that its logs covered a period, which was typical for companies of its size and nature.
But in Wednesday’s filing, DFS said First America could not determine whether records before June 2018 were accessed. “The defendant’s forensic investigation relied on a review of the logs retained after June 2018,” DFS found. “The respondent’s own analysis shows that over the past 11 months, more than 350,000 documents were accessed without authorization by automated ‘robots’ or ‘crawlers’ programs designed to collect Internet information.”
First America’s exposed records are a virtual gold mine for phishers and fraudsters involved in so-called commercial e-mail scams (BECs), often posing as real estate agents, transfer agents, property rights and custodians, to trick property buyers into transferring money to fraudsters. BEC fraud is the most expensive form of cybercrime today, according to the FBI.
First America’s shares fell more than 6 percent the day after the data breach. In the days that followed, DFS and the Securities and Exchange Commission separately announced investigations into the company.
First America reported its first-quarter 2020 results on Thursday. A hearing on the DFS charges is scheduled for October 26.