First American Mortgage Faces NY Regulator Inquiry, LawsuitPressure Mounts on Title Company That Exposed 885 Million Records Online
First American Mortgage Corp., the title insurance company that left hundreds of millions of personal documents exposed on the internet, is now facing a lawsuit and an inquiry by New York's financial regulator.
New York's Department of Financial Services is investigating the exposure of up to 885 million documents dating back to 2003 related to real estate transactions, The New York Times reports. DFS has the power to levy fines related to cybersecurity lapses.
Also, Bloomberg reports a lawsuit has been filed against First American in federal court in California that is seeking class-action status. The lawsuit was filed on behalf of Pennsylvania resident David Gritz, who bought and sold 11 properties between 2014 and last year with First American as the title insurance company.
First American's data exposure issue is just the latest in a string of data mishaps at organizations, including Equifax and health insurer Anthem, that store enormous amounts of sensitive consumer data, but have been found to have cybersecurity weaknesses (see: Moody's Changes Equifax's Outlook to 'Negative').
Alex Holden, CISO of the cybersecurity consultancy Hold Security, says top management within companies don't have adequate awareness of information security risks. There's also "an over-reliance on tools, vendors and other components without an overall framework, customization and threat intelligence," he says.
Holden says a standard penetration test likely would have uncovered the security shortcomings in First American's database (see: Title Company Exposes 16 Years of US Mortgage Data).
No Authentication Needed
Security blogger Brian Krebs first reported the exposure of the First American data after he was alerted to it by real estate developer Ben Shoval. First American, one of the largest providers of title insurance and settlement services in the U.S., had $5.7 billion in revenue in 2018.
Shoval found he could access other documents within First American's database by changing a number that appeared in a URL.
First American's online database did not require authentication to view the documents, which included tax records, real estate transaction documents, driver's license images and wire transfer documents.
The database was taken offline soon after the discovery, but it's unknown if others may have stumbled upon it. Some documents had been cached by search engines, but work was underway to ensure those were removed.
New York's DFS is responsible for regulating the state's banks, insurance companies, bail bond agents and other financial organizations. It has stepped up its interest in cybersecurity; last month, it launched a cybersecurity division.
New York also has one of the most comprehensive cybersecurity regulations in the U.S. that applies to financial services companies. The regulation, which went into effect two years ago, requires those companies have a CISO, report incidents within 72 hours and use multifactor authentication, among many other requirements (see: Reworked N.Y. Cybersecurity Regulation Takes Effect in March).
The lawsuit against First American relies heavily on information from Krebs' story. It alleges that consumers could face harm from the exposure.
"The documents leaked by First American contain not only sensitive information that scammers can use to impersonate real estate sellers, but also contact information for specific closing agents and buyers involved in ongoing real estate transactions," it says. "Mr. Gritz would not have used First American as the title insurer had he known that it would expose sensitive documents, making them publicly available over the internet."
The lawsuit seeks damages, a permanent injunction against First American and attorneys' fees.
It's difficult to accurately assess the ongoing risk from the exposed First American database. If attackers had been able to download the data slowly over time to not raise alarms, it would represent a rich trove of information from which to launch scams.
First American said last week that although its investigation is in the early stages, "at this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred."
On Friday, First American said it is offering one year of prepaid credit monitoring from Experian to anyone who held a title insurance policy or used its escrow and closing services since Jan. 1, 2003.
Some of the data available in First American's cache was quite fresh. Krebs reported the availability of documents for pending real estate transactions. That's exactly the kind of information sought by so-called business email compromise scammers.
Those scams often revolve around compromising an email account that's being used to broker a financial transaction, such invoice payments. After observing communication between a supplier and a buyer, the scammers may doctor documents to change destination accounts for wire transfers. Fraudsters also target residential home transactions.
BEC scams - also sometimes called executive account compromise - cost at least $1.3 billion worldwide last year, according to the FBI (see: The FBI's RAT: Blocking Fraudulent Wire Transfers).