First American Title Insurance Company has become the first firm to face charges alleging violations of the New York State Department of Financial Services’ Cybersecurity Regulation.
When it was first proposed in 2016, the stated aim of New York’s first-in-the-nation Cybersecurity Regulation, which took effect in March 2017, was to protect against the ever-growing threat of cyber-attacks. The regulation requires banks, insurance companies, and other NYDFS-regulated financial services institutions to establish and maintain a cyber-security program designed to protect consumers and ensure the safety and soundness of the financial services industry.
“For more than four years, First American Title Insurance Company exposed tens of millions of documents that contained consumers’ sensitive personal information, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images,” NYDFS said in its statement of charges, filed Wednesday. From at least October 2014 through May 2019, due to a known vulnerability on First American’s public-facing Website, “these records were available to anyone with a web browser,” the NYDFS said.
According to the statement of charges, the vulnerability was first introduced during an application software update in May 2014 and went undetected for years. First American’s “mishandling of its own customers’ data was compounded by its willful failure to remediate the vulnerability, even after it was discovered by a penetration test in December 2018,” the statement of charges continues.
First American “failed to conduct a reasonable investigation into the scope and cause of the exposure, reviewing only 10 of the millions of documents exposed and thereby grossly underestimating the seriousness of the vulnerability,” NYDFS said. “Moreover, the title insurer failed to follow the recommendations of its internal cybersecurity team to conduct further investigation into the vulnerability.”
Instead, First American “allowed unfettered access to the personal and financial data of millions of its customers for six more months until the breach and its serious ramifications were widely publicized by a nationally recognized cyber-security industry journalist,” according to the statement of charges. That cyber-security journalist was KrebsOnSecurity, who first reported the leak in May 2019, writing that the vulnerabilty “exposed approximately 885 million files, the earliest dating back more than 16 years,” and that “no authentication was required to read the documents.”
The NYDFS charges said First American violated six provisions of the Cybersecurity Regulation, including failure to perform an adequate risk assessment; maintain proper access controls; provide adequate security training for cyber-security employees; failure to encrypt certain nonpublic information. NYDFS alleges each instance of non-public information encompassed within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.
“First American strongly disagrees with the New York Department of Financial Services’ charges,” the company said in a statement. ”As we reported in July 2019, our investigation into the incident, conducted with an outside forensics firm, identified a very limited number of consumers whose non-public personal information likely was accessed without authorization and otherwise found no evidence of misuse of any non-public personal information. None of these identified consumers were New York residents.
“… At First American, security, privacy and confidentiality are of the highest priority, and we intend to vigorously defend ourselves against the Department’s unreasonable charges.