First American Pays a $488,000 Data Breach Fine
Table of Contents
- By Dawna M. Roberts
- Published: Jun 29, 2021
- Last Updated: Mar 18, 2022
As a result of a data breach two years ago, title insurance and settlement services company First American Financial Corp. of Santa Clara, California, will pay the U.S. Securities and Exchange Commission a $488,000 fine.
The Truth Exposed
A security investigation into the data breach revealed that IT staff members at First American were aware of a software vulnerability that could lead to a breach for five months but did nothing to fix the problem. The information came to light in an SEC document released publicly.
The data breach exposed homeowners' information going back to 2003 and included personally identifiable information (PII) such as social security numbers, driver's license scans, financial information, mortgage closing documents, wire transfers, and other damaging details. The information was stored in an online document-sharing system, holding more than 800 million documents. Not all were exposed.
Brian Krebs of KrebsonSecurity was the first to discover the exposed data and reported it to First American.
First American is accused of violating the Exchange Act Rule 13a-15(a) and will also face civil charges filed by the New York State Department of Financial Services. First American vehemently disagrees with the charges and will fight it in court.
Some security experts believe that the penalty is light and should be harsher (well into the millions).
According to Data Breach Today,
"The SEC has issued much larger penalties related to cybersecurity and data breaches. Yahoo, now called Altaba, agreed to a $35 million civil penalty from the SEC in April 2018. That situation, however, was much different than the one facing First American."
The Results of the SEC Investigation
After breach notification, the SEC launched its own investigation into the First American exposure. They published their findings in an eight-page document detailing the account of events.
After Krebs notified the company, management was unaware that staff members knew of the risk of exposure but failed to take action to fix it. Data Breach Today explains that
"In violation of company policies, employees did not bring the issue to the attention of senior information security staff or fix the flaw in the required time period, the SEC reports. Also, the vulnerability's severity was improperly classified, the document says."
The scope of the problem stems from software called EaglePro, which enables users to scan and upload documents and share them using URLs. Some of the 800 million documents stored within the system were password-protected, and others were not.
The SEC's investigation revealed that on January 11, 2019, First American's IT team published a report that showed manual penetration testing found that "a user could increment the digits in a URL and see other documents in the system, according to the SEC. Also, some document images had been cached on publicly available search engines."
Additionally, the issue was misclassified as a "low risk" rather than serious, which would have required it to be fixed within 45 days. Therefore, the company took more than 90 days to address it.
This oversight brought the SEC into the picture as Data Breach Today explains
"If a vulnerability can't be fixed in the normal timeline, First American Financial's VRM calls for the EaglePro accountable remediation owner and management to obtain either a waiver or risk-acceptance approval from the CISO, the SEC says. But that didn't happen. The company's CISO learned about the January 2019 penetration test report on May 24, 2019. The company's CIO learned about both the report and the lack of remediation a day after the CISO did, the SEC report says."
The SEC justifies the penalty with
"These senior executives thus lacked certain information to fully evaluate the company's cybersecurity responsiveness and the magnitude of the risk from the EaglePro vulnerability at the time they approved the company's disclosures."
