First American Faces NY Regulator, Lawsuit Over Exposure

Breach Response , Data Breach , Data Masking & Information Archiving

Pressure Mounts on Title Company that Exposed 885 Million Records Online(jeremy_kirk) • June 3, 2019    First American Faces NY Regulator, Lawsuit Over ExposurePhoto: Staff Sgt. Teresa J. Cleveland

First American Mortgage Corp., the title insurance company that left hundreds of millions of personal documents open on the internet, is now facing a lawsuit and an inquiry by New York's financial regulator.

See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.

New York's Department of Financial Services is investigating the exposure of up to 885 million documents dating back to 2003 related to real estate transactions, The New York Times reports. DFS has the power to levy fines related to cybersecurity lapses.

Also, Bloomberg reports a lawsuit filed against First American in federal court in California that is seeking class-action status. The lawsuit was filed on behalf of Pennsylvania resident David Gritz, who bought and sold 11 properties between 2014 and last year with First American as the title insurance company.

imageAlex Holden

First American's problem is just the latest in a string of data mishaps at organizations that store enormous amounts of sensitive consumer data, but have been found to have cybersecurity weaknesses, including Equifax and health insurer Anthem (see Moody's Changes Equifax's Outlook to 'Negative').

Alex Holden, CISO of the cybersecurity consultancy Hold Security, says there's an ongoing disconnect between top management within companies and information security risks. There's also "an overreliance on tools, vendors and other components without overall framework, customization and threat intelligence," he says.

Holden says a "standard" penetration test would have uncovered the shortcomings around First American's database (see Title Company Exposes 16 Years of US Mortgage Data).

No Authentication Needed

Security writer Brian Krebs first reported the exposure of the First American data after he was alerted to it by a real estate developer, Ben Shoval. First American is one of the largest providers of title insurance and settlement services in the U.S. and had $5.7 billion in revenue in 2018.

Shoval found he could access other documents within First American's database by changing a number that appeared in a URL.

First American's database did not require authentication to view the documents, which included tax records, real estate transaction documents, driver's license images and wire transfer documents.

The database was taken offline soon after the discovery, but it's unknown if others may have stumbled upon it. Some documents had been cached by search engines, but work was underway to ensure those were removed.

Legal Trouble

New York's DFS is responsible for regulating the state's banks, insurance companies, bail bond agents and other financial organizations. It has also stepped up its interest in cybersecurity and last month launched a cybersecurity division.

New York also has one of the most comprehensive cybersecurity regulations in the U.S. that applies to financial services companies. The regulation, which went into effect two years ago, requires those companies have a CISO, report incidents within 72 hours and use multifactor authentication, amongst many other requirements (see Reworked N.Y. Cybersecurity Regulation Takes Effect in March).

The lawsuit against First American relies heavily on information from Krebs' story. It alleges that consumers could face harm from the exposure.

imageThe lawsuit against First American.

"The documents leaked by First American contain not only sensitive information that scammers can use to impersonate real estate sellers, but also contact information for specific closing agents and buyers involved in ongoing real estate transactions," it says.

As far as the plaintiff, "Mr. Gritz would not have used First American as the title insurer had he known that it would expose sensitive documents, making them publicly available over the internet," the lawsuit reads.

The lawsuit seeks damages, a permanent injunction against First American and attorneys' fees.

Ongoing Risks?

It's hard to accurately assess the ongoing risk. If attackers had been able to download the data slowly over time to not raise alarms, it would represent a rich trove of information from which to launch future scams.

First American said last week that although its investigation is in the early stages, "at this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred."

On Friday, the company said it is offering one year of free monitoring by credit bureau Experian to anyone who held a title insurance policy or used its escrow and closing services since Jan. 1, 2003.

Some of the data available in First American's cache was quite fresh. Krebs reported the availability of documents for pending real estate transactions. That's exactly the kind of information sought by so-called business email compromise scammers.

Those scams often revolve around compromising an email account that's being used to broker a financial transaction, such invoice payments. After observing communication between a supplier and a buyer, the scammers may doctor documents to change destination accounts for wire transfers. Fraudsters also target residential home transactions.

BEC scams - also sometimes called executive account compromise - cost at least $1.3 billion worldwide last year, according to the FBI (see The FBI's RAT: Blocking Fraudulent Wire Transfers).