On May 15th of this year, we informed you that First American Financial Corp. leaked hundreds of millions of title insurance records. Discovered by KrebsOnSecurity the digitized records — including bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images — were available without authentication to anyone with a web browser.
First American Title Insurance Company is one of the largest providers of title insurance in the United States. In 2019, First American wrote more than 50,000 policies in New York State.
The even worse news is the company is the first cybersecurity enforcement action filed by the Department of Financial Services.
These charges are the first to be filed alleging violations of DFS’s Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations.
DFS alleges multiple failures in First American's handling of this extraordinary data exposure of sensitive consumer information, including:
- First American failed to follow its own policies, neglecting to conduct a security review and a risk assessment of the flawed computer program and the sensitive data associated with the data vulnerability;
- First American misclassified the vulnerability as “low” severity despite the magnitude of the document exposure, while also failing to investigate the vulnerability within the timeframe dictated by First American's internal cybersecurity policies;
- after the data exposure was discovered by an internal penetration test in December 2018, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability; and
- the title insurer failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.
DFS alleges that these errors, deficient controls, and other flaws in First American’s cybersecurity practices led to the data exposure that persisted for years, including months after it was discovered.
According to the statement of charges, First American violated six provisions of the Cybersecurity Regulation. The Cybersecurity Regulation is implemented pursuant to Section 408 of the Financial Services Law. Any violation of Section 408 with respect to a financial product or service, which includes title insurance, carries penalties of up to $1,000 per violation. DFS alleges that each instance of Nonpublic Information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.
According to the full copy of the statement of charges on the DFS website, the specific issue is as follows:
The Uniform Resource Locator (the “URL”) of a web application is the specific web address that makes it possible to request a document, file, video, or other resource maintained on the web. By permitting a URL on its public website to be vulnerable to manual manipulation, or re-writing, Respondent knowingly laid bare millions of personal datapoints of its customers from hundreds of First American consumer files for access without any login or authentication requirements.
The hearing will be held at the office of the New York State Department of Financial Services, One State Street, New York, New York, beginning on October 26, 2020.
The bottom line here is as follows. Companies dealing with sensitive information have to worry about hackers getting through their firewalls and penetrating their systems. They need to worry about employees being paid to allow hackers in and they need to be sure their developers aren’t writing code which allows personal information to be exposed.
Related to this last point – they have to be sure systems are patched and software updates are performed. For example, it was discovered today that Microsoft Windows XP source code has leaked onto the internet. This may be a problem for not only XP machines which companies may still be relying on but also other Windows systems that share some of XP’s code.
If our math is right, $1,000 per violation when there are 850 million violations means a fine of $850 billion dollars.
The market cap of the company is currently $5.5 billion. It dropped roughly 26% since this incident was first reported meaning it has lost just under two billion dollars in value as a result of this news broke.
This tells us the market does not think the damage from this event will exceed $2 billion which is still a hefty sum.
Other companies need to learn from this and be sure to steer clear of the same mistakes.
Ask the experts at Apex Technology Services about how we can help your organization stay secure.