[BreachExchange] First American Title Accused Of Exposing Millions Of Customers’ Personal Data

[Destry Winant]

https://www.pymnts.com/news/security-and-risk/2020/first-american-title-lawsuit-data-breach/

First American Title, one of the largest providers of title insurance
in the U.S., is facing allegations that it exposed the personal data
of millions of its customers.

The New York State Department of Financial Services (DFS) filed
charges on Wednesday (July 22) against the Santa Ana, California-based
company, which wrote more than 50,000 policies in New York last year.
Regulators allege violations of the state’s cybersecurity regulation.

DFS said that millions of documents – many containing bank account
numbers, mortgage and tax records, Social Security numbers, wire
transaction receipts and drivers’ license images – were compromised.

The complaint alleges that a breach of First American’s information
systems resulted in the exposure of consumers’ sensitive personal
information over several years. DFS claimed that First American has
known about the vulnerability for nearly two years, but failed to fix
it.

DFS alleges that First American did not follow its own privacy
protection policies, and neglected to conduct a security review of the
flawed computer program and the sensitive data associated with the
data vulnerability.

After the data exposure was discovered by an internal test in 2018,
First American reviewed less than a dozen of the millions of documents
exposed and thereby grossly underestimated the seriousness of the
vulnerability, DFS charged.

Violations carry penalties of up to $1,000 for each instance.

A hearing is scheduled at DFS offices for Oct. 26.

First American denied the allegations. “Our investigation into the
incident, conducted with an outside forensics firm, identified a very
limited number of consumers whose nonpublic personal information
likely was accessed without authorization and otherwise found no
evidence of misuse of any nonpublic personal information,” First
American said. “None of these identified consumers were New York
residents.”

The company said the Nebraska Department of Insurance examined the
company’s information security program last summer and concluded that
controls are suitably designed and operating effectively. “At First
American, security, privacy and confidentiality are of the highest
priority, and we intend to vigorously defend ourselves against the
Department’s unreasonable charges,” the statement said.

In May, a class-action lawsuit was filed against First American
Financial Corp. in U.S. District Court for the Central District of
California by Gibbs Law Group on behalf of David Gritz, a resident of
Pennsylvania who had bought and sold several homes. The lawsuit
contends that First American broke its privacy promises by storing
sensitive documents on a publicly accessible system.