First American Financial's SEC Breach Settlement: $488,000SEC: Executives Left in Dark About Vulnerability in File-Sharing System
First American Financial Corp., a Santa Clara, California-based company that's one of the largest providers of title insurance and settlement services, will pay the U.S. Securities and Exchange Commission a $488,000 penalty as a result of a data breach revealed two years ago.
An SEC document reveals that information security staff members at the company were aware of a software vulnerability for five months but failed to fix it, leading to the breach.
The data breach exposed personal and mortgage-related documents via an online document-sharing system that held some 800 million documents. The files contained personal data, including Social Security numbers, financial information, driver's license scans, PDFs of home closing documents, wire transfers and more dating back to 2003 (see: Report: SEC Investigates First American Data Exposure).
The SEC accused First American Financial of violating Exchange Act Rule 13a-15(a).
The company still faces civil charges filed against it by the New York State Department of Financial Services. Those charges were the first to be brought by the agency under its Cybersecurity Regulation, which went into effect in March 2017. First American Financial has said it "strongly disagrees" with the charges (see: First American Title Insurance Co. Faces Charges in NY).
First American Financial did not immediately respond to a request for comment on the settlement.
The penalty seems light in view of the harm and scope of the breach, says Michael Volkov, CEO of the Volkov Law Group and a former assistant U.S. attorney.
"It seems like a very strong and straightforward case that should have resulted in a multi-million dollar settlement," Volkov says.
The SEC has issued much larger penalties related to cybersecurity and data breaches. Yahoo, now called Altaba, agreed to a $35 million civil penalty from the SEC in April 2018. That situation, however, was much different than the one facing First American.
The SEC alleged that Yahoo knew of a breach by suspected Russian hackers that occurred around December 2014 but delayed notifying regulators until nearly two years later (see SEC Fines Yahoo $35 Million Over 2014 Breach).
Pen Test Uncovered Flaw
An eight-page document released by the SEC describes what it discovered during its investigation. Even after Krebs broke news of the breach, senior executives at the company were still unaware that its own staff had discovered the vulnerability on their own months earlier.
In violation of company policies, employees did not bring the issue to the attention of senior information security staff or fix the flaw in the required time period, the SEC reports. Also, the vulnerability's severity was improperly classified, the document says.
The vulnerability was contained in First American Financial's EaglePro system, which held some 800 million images of documents that contained both public and nonpublic data. EaglePro, which the company started using in 2013, enables images of documents to be sent in URLs. Some of those URLs were password protected while others weren't.
On Jan. 11, 2019, First American Financial's information security team finalized a report describing how during a manual penetration test, tit found that a user could increment the digits in a URL and see other documents in the system, according to the SEC. Also, some document images had been cached on publicly available search engines.
The bug merited being classified as a level 3 issue, also called "serious," according to the company's vulnerability remediation management policy. Those types of issues should have been fixed within 45 days. But the bug ended up being mistakenly classified as a level 2 issue, considered low risk, due to a clerical error, the SEC document says. First American Financial's VRM called for level 2 issues to be fixed within 90 days.
Executives Left in Dark
The bug still wasn't fixed, however, by May 8, 2019, which was 90 days after the misclassified bug was put into the risk management system and just a couple of weeks before Krebs' breach notification and subsequent story.
If a vulnerability can't be fixed in the normal timeline, First American Financial's VRM calls for the EaglePro accountable remediation owner and management to obtain either a waiver or risk-acceptance approval from the CISO, the SEC says. But that didn't happen. The company's CISO learned about the January 2019 penetration test report on May 24, 2019. The company's CIO learned about both the report and the lack of remediation a day after the CISO did, the SEC report says.
As a result, a press release about the breach issued on May 24, 2019, and a Form 8-K filed with the SEC were created without full knowledge of the situation, the SEC writes.
"These senior executives thus lacked certain information to fully evaluate the company’s cybersecurity responsiveness and the magnitude of the risk from the EaglePro vulnerability at the time they approved the company’s disclosures," the SEC writes.