Big Four title firm First American must pay the New York Department of Financial Services (DFS) $1 million as part of a cybersecurity violation settlement, according to an announcement on Tuesday.

The settlement resolves cybersecurity violations made by First American relating to the breach and exposure of consumers’ non-public information.

In addition to paying $1 million to New York state of violating the DFS’s Cybersecurity Regulation, First American has also agreed to implements remedial measures to better secure its consumers’ data.

The cybersecurity breach was detected in May 2019, when First American notified the DFS of a vulnerability within its proprietary EaglePro application, which it uses to store consumer data. The vulnerability in the application would allow any individual in possession of the link used to access EaglePro could access the documents of individuals involved in unrelated transactions without any identity authentication.

In its investigation of the matter, the DFS found that First American “failed to maintain and implement effective governance and classification, access controls and identity management, and risk assessment policies and procedures.” As such, the DFS said that EaglePro did not have strong enough access controls, which would have prevented unauthorized users from gaining access to clients’ non-public data.

The title industry has seen its fair share of security breaches over the years, including the massive ransomware attack on cloud storage provider Cloudstar in 2021, as well as the very recent ransomware attack on Fidelity National Financial, which led to a shutdown of some of its network.  

“We’re pleased that this matter has been resolved,” a First American spokesperson wrote in an email. “First American remains committed to supporting our customers in the secure and efficient transfer of real estate in New York.”