Insurer’s huge data exposure draws charges from New York state
New York regulators have charged an insurer with violating state cybersecurity law for allegedly exposing hundreds of millions of documents that included Americans’ personal data, including Social Security numbers and financial information.
The New York State Department of Financial Services announced legal action Wednesday against the First American Title Insurance Company, the second-largest real estate title insurer in the U.S. The company is accused of exposing customers’ Social Security numbers, bank account information, driver’s license numbers and mortgage and tax records through a software vulnerability that went undetected between May 2014 and December 2018. Upon discovering the flaw during a routine security test, the insurance company failed to fix it, DFS alleged.
“After the data exposure was discovered by an internal penetration test in December 2018, First American failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability,” state regulators said in a statement.
First American said it “strongly disagrees” with the charges in a statement Wednesday.
The vulnerability in First American’s website exposed roughly 885 million files, KrebsOnSecurity first reported last year. A real estate developer who uncovered the issue told KrebsOnSecurity that anyone with access to a section of the First American website could modify the URL, then view a huge number of other documents.
First American said it fixed the issue following the Krebs report.
If found guilty of the DFS charges, First American could face fines of up to $1,000 for every exposed record.
The complaint marks the first enforcement of new New York rules that spell out the way financial firms operating in the state must protect data. Requirements include regular security tests, policies around device management, network monitoring and the appointment of a chief information security officer, or equivalent position, in covered entities. Given the concentration of large financial firms in New York, the state laws cover a large portion of the U.S. industry.