The commission said First American's information security personnel spotted the vulnerability months earlier, but didn't fix it or notify company brass.

The announcement reverses Chairman Jay Clayton's previous statements about whether the breach exposed anyone's personal information.

Sitting before the Senate Banking, Housing and Urban Affairs Committee, Clayton fielded questions about the SEC breach as well as the Equifax breach last month.