TechTronBlog.com

Technology, Innovation, Collaboration
Menu
  • Features
  • Gadget
  • Mobile
  • Uncategorized

Daily Tech Updates Sent to your Email

Join our Newsletter
Home
Gadget
NY Charges First American Financial for Massive Data Leak
Gadget

NY Charges First American Financial for Massive Data Leak

zadmin August 17, 2020

In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties.

First American Financial Corp.

Santa Ana, Calif.-based First American [NYSE:FAF] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019.

As first reported here last year, First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.

The documents were available without authentication to anyone with a Web browser.

According to a filing (PDF) by the New York State Department of Financial Services (DFS), the weakness that exposed the documents was first introduced during an application software update in May 2014 and went undetected for years.

Worse still, the DFS found, the vulnerability was discovered in a penetration test First American conducted on its own in December 2018.

“Remarkably, Respondent instead allowed unfettered access to the personal and financial data of millions of its customers for six more months until the breach and its serious ramifications were widely publicized by a nationally recognized cybersecurity industry journalist,” the DFS explained in a statement on the charges.

A redacted screenshot of one of many millions of sensitive records exposed by First American’s Web site.

Reuters reports that the penalties could be significant for First American: The DFS considers each instance of exposed personal information a separate violation, and the company faces penalties of up to $1,000 per violation.

In a written statement, First American said it strongly disagrees with the DFS’s findings, and that its own investigation determined only a “very limited number” of consumers — and none from New York — had personal data accessed without permission.

In August 2019, the company said a third-party investigation into the exposure identified just 32 consumers whose non-public personal information likely was accessed without authorization.

When KrebsOnSecurity asked last year how long it maintained access logs or how far back in time that review went, First American declined to be more specific, saying only that its logs covered a period that was typical for a company of its size and nature.

But in Wednesday’s filing, the DFS said First American was unable to determine whether records were accessed prior to Jun 2018.

“Respondent’s forensic investigation relied on a review of web logs retained from June 2018 onward,” the DFS found. “Respondent’s own analysis demonstrated that during this 11-month period, more than 350,000 documents were accessed without authorization by automated ‘bots’ or ‘scraper’ programs designed to collect information on the Internet.

The records exposed by First American would have been a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

First American’s stock price fell more than 6 percent the day after news of their data leak was published here. In the days that followed, the DFS and U.S. Securities and Exchange Commission each announced they were investigating the company.

First American released its first quarter 2020 earnings today. A hearing on the charges alleged by the DFS is slated for Oct. 26.

Share
Tweet
Email
Prev Article
Next Article

Related Articles

https://grahamcluley.com/feed-sponsor-recorded-future-4/

Prioritize alerts and jump-start your investigations with Recorded Future’s free browser extension. Sign up now.

https://www.cnet.com/news/google-wins-dismissal-of-lyric-stealing-lawsuit/#ftag=CAD590a51e

Google wins dismissal of lyric-stealing lawsuit – CNET

About The Author

zadmin

Leave a Reply

Cancel reply

Recent Posts

  • New tech and gadgets you absolutely can’t miss
  • Razer Pro Click ergonomic wireless mouse maximizes your productivity
  • Lume Cube Panel Mini Bicolor LED Light provides on-the-go lighting for photographers
  • LINKA LEO GPS Smart Bike Lock can track your bicycle’s movements in more than 100 countries
  • Razer Pro Glide soft mouse mat cushions your hand during use

Recent Comments

    Archives

    • August 2020

    Categories

    • Features
    • Gadget
    • Mobile
    • Uncategorized

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    TechTronBlog.com

    Technology, Innovation, Collaboration
    Copyright © 2021 TechTronBlog.com
    Theme by MyThemeShop.com

    Ad Blocker Detected

    Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

    Refresh