The U.S. Securities and Exchange Commission is reportedly investigating a security breach at First American Financial Corporation that saw the exposure of upwards of 885 million financial records and personal files related to mortgages dating back to 2003.
KrebsOnSecurity reported the breach in May. Included in the exposed data are bank account numbers, statements, tax and mortgage records, receipts for wire transfers, personal social security numbers and pictures of drivers’ licenses. The security company reported that all the information was accessible without any need for authentication.
The story broke when a real estate developer in Seattle named Ben Shoval received a letter from the SEC that said it was looking into whether First American broke any federal securities regulations. The regulatory agency asked him to provide anything he had that was tied to the data exposure.
“This investigation is a non-public, fact-finding inquiry,” the letter said. “The investigation does not mean that we have concluded that anyone has violated the law.”
First American is also being investigated by regulators in New York over cybersecurity regulation that requires companies to provide regular audits, and it’s also the purview of a class action lawsuit that says it “failed to implement even rudimentary security measures.”
For its part, First American has been trying to downplay how bad the exposure has been, calling the breach a “design defect” of its online site. It said that on June 18, a review of its system logs by another independent company, “based on guidance from the company, identified 484 files that likely were accessed by individuals without authorization. The company has reviewed 211 of these files to date and determined that only 14 (or 6.6 percent) of those files contain non-public personal information. The company is in the process of notifying the affected consumers and will offer them complimentary credit monitoring services.”
On July 16, First American said that it had concluded an investigation and found only 32 consumers whose data was accessed without permission.
“These 32 consumers have been notified and offered complimentary credit monitoring services,” the company said.