First American Financial pays wacky $ 500,000 fine – Krebs on Security
In May 2019, KrebsOnSecurity announced that the website of the mortgage settlement giant First American Financial Corp. [NYSE:FAF] disclosed more than 800 million documents – many of which contain sensitive financial data – related to real estate transactions dating back 16 years. This week the United States Securities Commission settled its investigation into the case after the Fortune 500 company agreed to pay a paltry fine of less than $ 500,000.
If you’ve bought or sold a property in the past two decades, there’s a good chance you’ve given First American plenty of personal and financial documents as well. According to The data of American Land Titles Association, First American is the second-largest mortgage securities and settlements firm in the United States, processing nearly a quarter of all closings each year.
The SEC says First American derives nearly 92% of its revenue from its title insurance segment, earning $ 7.1 billion last year.
Title insurance protects homebuyers from the prospect of someone challenging their legitimacy as a new homeowner. According to SimpleShowing.com, there are actually two title insurance policies in each transaction: one for the buyer and one for the lender (the lender also needs protection because they are providing the mortgage to buy the house).
Title insurance is not required by law, but most lenders require it as part of any mortgage transaction. In other words, if you want to take out a mortgage on a house, you won’t be able to do so without providing companies like First American with documents about your income, assets, and liabilities, including a lot of sensitive financial data.
Aside from its primary business jurisdiction – verifying that the property involved in any real estate transaction is not burdened with any liens or other legal claims against it – First American essentially has one job: to protect everyone’s privacy and security. these documents.
It’s easy to see why companies like First American might not view the protection of this data as sacrosanct, as the industry-wide incentive to protect all of these sensitive documents is somewhat misaligned.
That is, in the title insurance industry, the parties to a real estate transaction are not clients, but rather clients. they are the product. The real customers of the title insurance companies are mainly the banks that support these mortgage transactions.
We see a similar dynamic with social media platforms, where the “user” is not the customer at all but the product whose data is bought and sold by these platforms.
About five months before KrebsOnSecurity informed First American that anyone with a web browser could view a sensitive document in their online “Eagle Pro” database simply by changing certain characters at the end of a link, a First American’s internal security audit reported the exact same vulnerability. .
But the company never took action to fix it until the media called it out.
SEC administrative process (PDF) explains how things slipped through the cracks. As part of First American’s documented vulnerability remediation policies, the data breach was classified as a security vulnerability with a severity of “level 3”, which placed it in the “medium risk” category and required remediation. within 45 days.
But rather than registering the vulnerability as a level 3 severity, due to a clerical error, the vulnerability was mistakenly entered as a level 2 or “low risk” severity in the automated tracking system. by First American. Level 2 issues had to be corrected within 90 days. Even so, First American missed this mark.
The SEC said that under First American remediation policies, if the person tasked with resolving the issue is unable to do so within the time frames listed above, that employee should ask their management to contact the company’s information security department to discuss their remediation plan and proposed time. estimate.
“If it is not technically possible to remedy the vulnerability, or if the repair is prohibitively expensive, the [employee] and their management should contact information security to obtain a waiver or risk acceptance approval from the CISO, ”the SEC explained. “The [employee] did not request an exemption or risk acceptance from the CISO.
Therefore, somebody at First American accepted the risk, but this person neglected to make sure that the most senior people in the company were also comfortable with the risk. It’s hard not to hum a tune every time the phrase “accepted the risk” comes up if you’ve already seen this excellent parody of the infosec industry.
The SEC targeted First American because a few days after our May 24, 2019 article was published, the company released an 8-K file with the agency indicating that First American had no prior indication of vulnerability.
“This statement demonstrated that First American senior management was not properly informed of the prior report of a vulnerability and failure to resolve the issue,” wrote Michael volkov, a 30-year-old federal prosecutor who now heads Volkov legal group in Washington, DC
Report for Reuters regulatory watch, Richard Satran claims SEC accused First American of violating Exchange Act Rule 13a-15 (a).
“The rule broadly requires companies involved in the issuance of securities to have a compliance process in place to ensure that material information complies with securities laws,” Satran wrote. “The SEC avoided going into the specific details of the breach and instead focused on how its disclosure was handled.”
Marc Rasch, also a former federal prosecutor in Washington, said the SEC was signaling with the action that it intended to take on more cases in which companies disrupt security governance in significant ways.
“It’s a win for the SEC and for First America, but it’s not really fair,” Rasch said. “It’s a ridiculous fine, and it does not imply any admission of guilt on the part of First American.”
Rasch said First American’s first problem was labeling the weakness as medium risk.
“That’s a lot of sensitive data that you’re exposing to anyone with a web browser,” Rasch said. “It’s a high risk vulnerability. It also means that you probably don’t know whether or not someone has accessed this data. There is no way to find out unless you can review all of your journals for all these years.
The SEC said more than 800 million records had been publicly available on First American’s website since 2013. In August 2019, the company said a third-party investigation into the exposure identified only 32 consumers. whose non-public personal information had likely been accessed without authorization.
When KrebsOnSecurity asked how long it kept access logs or how far back that review went, First American declined to be more specific, saying only that its logs cover a typical period for a company of its size and size. nature.
However, documents from New York financial regulators show First American was unable to determine whether the records were viewed until June 2018 (a year before correcting the weakness).
The files unveiled by First American are said to have been a virtual gold mine for phishers and con artists involved in commercial email scams (BECs), who often impersonate real estate agents, foreclosure agencies, title and escrow companies for the purpose of enticing property buyers to wire. funds to fraudsters. BEC scams are the most expensive form of cybercrime today, according to the FBI.
First American is not yet out of the regulatory woods of this huge data breach. In July 2020, the New York State Department of Financial Services announced that the company was the target of its first-ever cybersecurity enforcement action in connection with the incident, charges that could result in hefty financial penalties. This investigation is ongoing.
The DFS considers each exposed personal information case to be a separate breach, and the company faces penalties of up to $ 1,000 per breach. According to the SEC, First American’s EaglePro database contained tens of millions of images of documents containing non-public personal information.