New York’s top financial watchdog, sometimes called “the sheriff of Wall Street,” has turned its attention to First American’s security incident that allegedly exposed millions of records to anyone with a web browser, as initially reported by cybersecurity expert Brian Krebs.
The New York State Department of Financial Services sent a letter to First American on Tuesday asking for information about the security failure, including what steps are being taken to fix it and how many people in New York State were affected, according to The New York Times.
First American blocked access to the application on Friday after cybersecurity expert Brian Krebs revealed the alleged exposure of 885 million documents, many related to real estate transactions going back to 2003. As an example, Krebs posted a document he got from the site that contained an Arizona home seller’s Social Security number, mobile phone number, address and other private information that Krebs redacted. Krebs said the incident also exposed digital bank account statements, tax records, and images from drivers licenses in states across the nation.
On Tuesday, First American said in a regulatory filing it hired an unnamed outside security firm to investigate what it called “a design defect” that exposed customer data.
“Though the ongoing investigation is in its early stages, at this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred,” First American said in the Tuesday filing with the Securities and Exchange Commission.
The Times story said it may not be possible for First American to say for sure whether or not the sensitive records had been downloaded for criminal purposes.
“Security researchers said that records can be scraped gradually from websites without leaving much trace – and that First American would have no way of knowing when and how the data was viewed unless it was actively monitoring the site that contained the information,” the Times said.
Marcus Ginnaty, a spokesman for First American, declined to comment on whether the company had been doing so, the Times said. The story also said some of the sensitive documents remain accessible in search engine caches.
The New York regulator’s investigation is the first begun under a new state cybersecurity law that took effect in March. The law, one of the strictest in the U.S., requires financial companies to regularly audit and report on how they protect sensitive data, and it gives the NYSDFS the ability to impose financial penalties on companies for violations it considers reckless or willful, the Times story said.
Publisher’s Note: This story has been updated by HousingWire to reflect information impact categories per standards set by the National Institute of Standards and Technology and other information security experts. At this time, per HousingWire definitions, the Publisher is classifying this incident as a data exposure. (June 3, 2019)