[BreachExchange] Report: SEC Investigates First American Data Exposure

Destry Winant destry at riskbasedsecurity.com
Tue Aug 13 10:05:50 EDT 2019


The U.S. Securities and Exchange Commission is investigating the
exposure of hundreds of millions of personal and mortgage-related
records from First American Financial Corp., according to a report by
security blogger Brian Krebs.

The Santa Clara, California-based company is one of the largest
providers of title insurance and settlement services. A Washington
state real estate developer, Ben Shoval, discovered that First
American's website exposed an estimated 885 million housing-related
files and personal data documents going back to 2003 (see: Title
Company Exposes 16 Years of US Mortgage Data).

Shoval received a letter on Aug. 7 from the SEC asking him to provide
documentation related to the incident to the agency by Aug. 21, Krebs
reports. The SEC's letter to Shoval says its aim is to determine if
the company violated federal securities laws. The SEC describes the
probe as a non-public, fact-finding inquiry, Krebs reports.

The SEC has stepped into major data security incidents before. It
fined Yahoo $35 million in April 2018 after accusing the company of
failing to notify investors of a breach until two years later (see:
SEC Fines Yahoo $35 Million Over 2014 Breach).

First American Financial Corp. and the SEC did not immediately respond
to a request for comment.

First American reported on July 25 net income of $186.7 million on
total revenue of $1.5 billion in its second quarter. It says it spent
$1.7 million on the data exposure incident in the quarter.

Access Without Authorization

The SEC's investigation adds another layer of complication for First
American, which is already facing a class action lawsuit and an
investigation by New York's Department of Financial Services (see:
First American Mortgage Faces NY Regulator Inquiry, Lawsuit).

Shoval found he could increment the URL for a valid document, which
then exposed other documents in First American's systems without
authentication. After failing to get First American's attention, he
tipped off Krebs. First American subsequently closed the hole.

Among the accessible documents were wire transactions containing bank
account numbers, PDFs of home closing documents, tax records and
drivers license images. One document published but redacted by Krebs
included a seller's name, marital status, physical address, email
address, mortgage lender and Social Security number.

The documents appeared to be stored incrementally, and Krebs found one
numbered "000000075" that appeared to come from 2003.

First American: 32 People Affected

First American hasn't disclosed how many documents were publicly
available. But on July 16, it said its investigation had turned up how
many consumers' personal information may have been compromised: 32.

"The investigation identified 32 consumers whose non-public personal
information likely was accessed without authorization," the company
says in a notice. "These 32 consumers have been notified and offered
complimentary credit monitoring services."

Around a month earlier, on June 18, it said in an update that its
forensic firm had "identified 484 files that likely were accessed by
individuals without authorization."

"The company has reviewed 211 of these files to date and determined
that only 14 (or 6.6 percent) of those files contain non-public
personal information," the notice says. "The company is in the process
of notifying the affected consumers and will offer them complimentary
credit monitoring services."

At the time, it appeared to confirm the time span of the data
exposure, as it offered free credit monitoring services for those who
had used its service from Jan. 1, 2003 onward.

It may be difficult for the company to determine if someone other than
Shoval and security researchers accessed the documents, as
organizations typically discard logs after a set period of time.

More information about the BreachExchange mailing list