The New York State Department of Financial Services said Social Security numbers, bank account numbers, drivers' licenses and other records were exposed from October 2014 to May 2019 because of a known vulnerability in title insurer, First American's website.
It said First American's cyber defense team discovered the vulnerability in December 2018 by conducting a simulated cyberattack known as a "penetration test," but the company ignored the team's urging that it follow up.
Penalties could be significant, because the regulator considers each instance of exposed personal information a separate violation, with a maximum $1,000 penalty.
First American said on May 24, 2019, that it had fixed the vulnerability, after cybersecurity specialist Brian Krebs wrote that 885 million records dating to 2003 had been exposed.
To prevent finding your organization in the same situation, it is worth reading the following complaint which cites the many problems which got them into this mess:
- By permitting a URL on its public website to be vulnerable to manual manipulation, or re-writing, Respondent knowingly laid bare millions of personal datapoints of its customers from hundreds of First American consumer files for access without any login or authentication requirements.
- Respondent’s mishandling of its own customers’ data was compounded by its willful failure to remediate the Vulnerability, even after it was discovered by a penetration test in December 2018.
- In October 2014, Respondent updated the EaglePro system in a manner that gave rise to the Vulnerability.
- The URL for each website shared via EaglePro included an ImageDocumentID number, and each document in FAST was assigned a sequentially numbered ImageDocumentID.
- By changing the ImageDocumentID number in the URL by one or more digits, anyone could view the document corresponding to the revised ImageDocumentID.
- Respondent grossly underestimated the level of risk associated with the Vulnerability.
- Respondent failed to follow its own cybersecurity policies.
- Respondent conducted an unacceptably minimal review of exposed documents, and thereby failed to recognize the seriousness of the security lapse.
- Respondent failed to heed advice proffered by its own in-house cybersecurity experts.
- Respondent failed to adhere to its internal policies, and delayed addressing the Vulnerability for six months
- Remediation was ineffectively assigned to an unqualified employee.
- Respondent also failed to timely encrypt documents containing NPI as required by the Department’s Cybersecurity Regulation. 23 NYCRR Section 500.15 requires, among other things, documents containing NPI be encrypted.
- Respondent’s own analysis demonstrated that during this 11-month period, more than 350,000 documents were accessed without authorization by automated “bots” or “scraper” programs designed to collect information on the Internet.
First American is currently worth $6 billion so we don’t think the fine will be hundreds of billions of dollars. What we do know is companies do not take cybersecurity seriously enough and as a result they lose the trust of customers and investors.
We have seen companies close as a result of a similar issue.
This particular error – using sequential numbers to store private information on the web is as basic as it gets.
Companies often hire an IT company or an internal team to do penetration testing, update the firewalls and patch systems but then they write software that exposes the information they are paying IT to protect.
Typically, the CISO is not in charge of software development. In many cases, U.S. companies outsource software writing to another country or company.
This leads to issues where the CISO doesn’t properly ensure software is written to be secure. Most CISOs don’t have a software writing skillset which presents another impediment.
A multibillion-dollar company should have had separate cybersecurity controls in place to audit software production.
While software development companies know to do this because their business is software, many other companies do not… And this where messes such as this arise and cause problems.
Ask the experts at Apex Technology Services about how we can help your organization stay secure.