The Securities and Exchange Commission is reportedly investigating a security incident involving First American’s website that may have exposed more than 885 million records related to real estate closings and mortgage fundings going back to 2003, cybersecurity expert Brian Krebs said on Monday.
Ben Shoval, a Seattle real estate developer cited by Krebs in May as the person who alerted him to the situation, said he received a letter last week from the SEC’s enforcement division stating it was investigating to determine if First American had violated federal securities laws.
In May Krebs broke the news of the data exposure, providing an example of a private record he obtained without providing security authentication. The exposed documents included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers license images, he said on his Krebs on Security website.
An image posted on Kreb’s website on Monday showed the Aug. 7 SEC letter that Shoval says he received. The letter asks Shoval to preserve and share any documents or evidence he has related to the data exposure.
“The staff of the United States Securities and Exchange Commission is conducting an investigation relating to the above-referenced matter to determine if violations of the federal securities laws have occurred,” the letter said. “In connection with this investigation, the staff requests that you immediately preserve, and voluntarily provide us with, the information and documents set forth in Attachment A by 5 p.m., August 21, 2019.”
The letter said: “The investigation does not mean that we have concluded that anyone has violated the law.”
First American did not respond to HousingWire’s request for a comment on Tuesday. On July 16, the company posted a statement on its website saying it had investigated the matter and concluded that 32 consumers were impacted by the data exposure.
“First American Financial Corporation advises that the investigation into the extent to which customer information may have been compromised in connection with the reported information security incident is complete,” the company said. “The investigation identified 32 consumers whose non-public personal information likely was accessed without authorization. These 32 consumers have been notified and offered complimentary credit monitoring services.”
When Krebs first broke the story in May, First American issued a statement admitting there was a design flaw.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data,” the company said in the May statement. “At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application.”