First American Title Insurance Co. Faces Charges in NYCompany Could Be Fined $1,000 for Each Violation of State Cybersecurity Law
The New York State Department of Financial Services has filed civil charges against First American Title Insurance Co., a subsidiary of First American Mortgage Corp. that’s been accused of exposing hundreds of millions of documents that contained customers’ mortgage and personal data.
The charges, announced Wednesday, are the first to be brought under the department's Cybersecurity Regulation, which went into effect in March 2017. The regulation requires banks and other financial services firms to maintain certain cybersecurity standards, including conducting risk assessments and having the ability to notify regulators and consumers in a timely manner following a security incident.
In the charges filed this week, state officials accuse First American Title Insurance Co. of not only exposing customer data, but also failing to conduct a proper investigation into the cause of the exposure, which was discovered during an internal penetration test in December 2018 (see: First American Mortgage Faces NY Regulator Inquiry, Lawsuit).
The millions of documents that were left exposed to the internet included personal information, such as Social Security numbers, bank account details, mortgage and tax records, wire transaction receipts and driver’s license images, according to New York authorities.
"First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability," according to the Department of Financial Services.
First American is the second-largest title insurance company in the U.S. In 2019, the company wrote more than 50,000 policies in New York, DFS reports.
Under the New York Cybersecurity Regulation, companies found guilty of violating the law can face penalties of up to $1,000 for each violation. DFS considers each incident of exposed data by First American as a violation of the law. An initial hearing about the case has been set for Oct. 26.
In a statement provided to Information Security Media Group, a spokesperson for Santa Clara, Calif.-based First American Title Insurance Co. says the company plans to contest the charges.
"First American strongly disagrees with the New York Department of Financial Services’ charges relating to a limited cybersecurity incident from May 2019," the spokesperson says. "As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose non-public personal information likely was accessed without authorization and otherwise found no evidence of misuse of any non-public personal information."
Records Potentially Exposed
In May 2019, Ben Shoval, a Washington State real estate developer, first discovered that First American's website had potentially exposed an estimated 885 million housing-related files and documents containing personal data going back to 2003 (see: Title Company Exposes 16 Years of US Mortgage Data).
Shoval discovered he could access other documents within First American's database by changing a number that appeared in a URL. The online database did not require authentication to view the documents, which included tax records, real estate transaction documents, driver's license images and wire transfer documents, according to a report by security blogger Brian Krebs.
After reports of the vulnerability were made public, the database was taken offline. It's not clear if anyone inappropriately accessed any of the exposed data, according to the Krebs' report. The DFS report does mention if any records were inappropriately accessed or stolen.
As part of its investigation, the New York DFS found that First American failed to follow its own security policies and neglected to conduct a risk assessment of the vulnerable system that contained the data, according to papers filed in the case.
First American also misclassified the vulnerability in its internal system as "low" risk despite the large number of documents that were potentially exposed, according to the documents. The company also failed to investigate the vulnerability within the timeframe outlined within its own cybersecurity policies, DFS says.
The DFS complaint also alleges that after an internal penetration test found the flaw in 2018, the company did not fully respond until the vulnerability was made public in May 2019. The company "failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability," DFS says.
Another Investigation Pending
The U.S. Securities and Exchange Commission is also investigating the First American case (see: Report: SEC Investigates First American Data Exposure).
Although First American has denied putting its customers at risk, the company is providing one year of prepaid credit monitoring to anyone who held a title insurance policy or used its escrow and closing services since Jan. 1, 2003.