Report: SEC Investigates First American Data ExposureTitle and Settlement Company Exposed Hundreds of Millions of Data Records
The U.S. Securities and Exchange Commission is investigating the exposure of hundreds of millions of personal and mortgage-related records from First American Financial Corp., according to a report by security blogger Brian Krebs.
The Santa Clara, California-based company is one of the largest providers of title insurance and settlement services. A Washington state real estate developer, Ben Shoval, discovered that First American’s website exposed an estimated 885 million housing-related files and personal data documents going back to 2003 (see: Title Company Exposes 16 Years of US Mortgage Data).
Shoval received a letter on Aug. 7 from the SEC asking him to provide documentation related to the incident to the agency by Aug. 21, Krebs reports. The SEC’s letter to Shoval says its aim is to determine if the company violated federal securities laws. The SEC describes the probe as a non-public, fact-finding inquiry, Krebs reports.
The SEC has stepped into major data security incidents before. It fined Yahoo $35 million in April 2018 after accusing the company of failing to notify investors of a breach until two years later (see: SEC Fines Yahoo $35 Million Over 2014 Breach).
First American Financial Corp. did not respond to a request for comment. A SEC spokesman says the agency has no comment.
First American reported on July 25 net income of $186.7 million on total revenue of $1.5 billion in its second quarter. It says it spent $1.7 million on the data exposure incident in the quarter.
Access Without Authorization
The SEC’s investigation adds another layer of complication for First American, which is already facing a class action lawsuit and an investigation by New York's Department of Financial Services (see: First American Mortgage Faces NY Regulator Inquiry, Lawsuit).
Shoval found he could increment the URL for a valid document, which then exposed other documents in First American’s systems without authentication. After failing to get First American’s attention, he tipped off Krebs. First American subsequently closed the hole.
Among the accessible documents were wire transactions containing bank account numbers, PDFs of home closing documents, tax records and drivers license images. One document published but redacted by Krebs included a seller’s name, marital status, physical address, email address, mortgage lender and Social Security number.
The documents appeared to be stored incrementally, and Krebs found one numbered "000000075" that appeared to come from 2003.
First American: 32 People Affected
First American hasn’t disclosed how many documents were publicly available. But on July 16, it said its investigation had turned up how many consumers’ personal information may have been compromised: 32.
“The investigation identified 32 consumers whose non-public personal information likely was accessed without authorization,” the company says in a notice. “These 32 consumers have been notified and offered complimentary credit monitoring services.”
Around a month earlier, on June 18, it said in an update that its forensic firm had “identified 484 files that likely were accessed by individuals without authorization.”
“The company has reviewed 211 of these files to date and determined that only 14 (or 6.6 percent) of those files contain non-public personal information,” the notice says. “The company is in the process of notifying the affected consumers and will offer them complimentary credit monitoring services.”
At the time, it appeared to confirm the time span of the data exposure, as it offered free credit monitoring services for those who had used its service from Jan. 1, 2003 onward.
It may be difficult for the company to determine if someone other than Shoval and security researchers accessed the documents, as organizations typically discard logs after a set period of time.