SEC Looking Into First American Breach
May's massive breach at First American Financial Corp. exposed 885 million records. Now the company is drawing the attention of regulators, curious if any laws were broken.
When news broke earlier this year that title insurance provider First American Financial Corporation accidentally exposed 885 million records, most of them relating to mortgage deals going back 16 years, many on social media lamented that the story would become yet another instance of a big corporation playing fast and loose with Americans’ data without any repercussions.
If there had been any doubt, it's clear now that the company, which leaked data like bank account numbers, statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images, has gotten the attention of regulators.
According to security reporter Brian Krebs, who broke the news on the First American breach in May, the U.S. Securities and Exchange Commission (SEC) has begun looking into the leak to see if to see if the company violated any federal securities laws.
Krebs cites a letter from the SEC's Division of Enforcement to Ben Shovel, a Seattle-based real estate developer, he received, asking him to share any information or documents he may have in connection to the breach.
It's important to note that the letter goes on to state that SEC is merely gathering facts around the incident and that it's not implying the company has broken the law.
The breach is one of the biggest since Yahoo's massive incident in 2013 that spilled data on three billion accounts. The First American breach quickly surpassed another data breach disclosed earlier this year, a collection of 773 million email IDs and 21 million passwords dubbed Collection #1, for the most records breached in 2019.
The data leak stemmed from the company called a "design defect" on its website that allowed attackers to access 484 files, a handful which purportedly contained non-public personal information, without authentication.
The company, which has found itself drawn into a number of lawsuits - including a class action suit (.PDF) - since disclosing the leak, has downplayed the incident saying it’s only been able to identify 32 consumers whose non-public information was potentially accessed without authorization.
"These 32 consumers have been notified and offered complimentary credit monitoring services," First American added in July.
News of the SEC's interest in the breach comes a few months after the New York Times reported that New York's Department of Financial Services was also looking into it. The Times said in May that NYDFS sent a letter to the company asking for further information on the breach, when it was discovered, what it did to fix the defect, how many New Yorkers were affected, and so on. To this day, for what it's worth, it's still unclear what exactly the "defect" may have been.
While the SEC's interest in the case has no doubt raised some eyes, the incident is also the first known investigation being carried out under the NYDFS’s new Cybersecurity Division.
The state regulator announced the new division, whose job is to enforce the department's cybersecurity regulations, including its stringent Cybersecurity Regulation, 23 NYCRR 500, in May.