The state financial regulator is demanding information on a leak that exposed up to 885 million mortgage documents
.jpg)
New York state’s financial watchdog is investigating title-insurance giant First American Financial Corporation following a leak on the company’s website that exposed an estimated 885 million mortgage records.
The leak was first publicized by security expert Brian Krebs on his website KrebsOnSecurity.com. after receiving a tip from a Washington state real estate agent, Krebs found that anyone who had a valid URL to view a mortgage document on First American’s website could view other documents just by modifying a single digit in the link.
Many of the exposed filed were records of wire transactions that included homebuyers’ and sellers’ bank account numbers and other personal information. No authentication was required to view the documents, according to Krebs.
The leak appears to be the largest, in terms of sheer numbers, since a 2013 cyber attack on Yahoo that compromised 3 billion user accounts, according to a New York Times report.
The New York Department of Financial Services (DFS) is now looking into the leak. On Tuesday, the DFS sent a letter to First American asking when the leak was discovered, what steps were being taken to address the problem, and how many people in New York state were affected by it, according to the Times.
The investigation is the first under a new state cybersecurity regulation that took effect in March, the Times reported. The regulation – the strictest of its kind in the country – requires financial companies to regularly audit and report on what steps they take to protect sensitive data. It allows the DFS to financially penalize companies for violations the regulator considers reckless or willful, the Times reported.
The New York state investigation is the first of what will likely be many probes into the security failure. Even in the absence of state probes, however, First American is already receiving blowback for the leak. The company’s shares fell by 2.2% after the leak was exposed. Although the shares recovered somewhat, it was the largest dive the company had taken since 2011. First American is also being sued by a client who claims that the title insurer’s lax security measures put him at risk of identity theft.
First American said last week that it had cut off external access to the web application that revealed the data and hired an outside firm to investigate the leak, the Times reported. The title insurer said that a preliminary investigation had not yet found evidence of “large-scale unauthorized access” to the documents.
