A subsidiary of insurance company First American Financial Corp. has been charged by a New York regulator regarding a data breach that went on for several years.
The New York State Department of Financial Service (DFS) filed charges on July 22 alleging that First American Title Insurance Co. exposed hundreds of millions of documents containing sensitive information. Data compromised in the breach included Social Security numbers and bank account information.
According to the DFS, the company leaked data because it was using a flawed document management system that allowed anyone to access files. The department claims that no passwords or other security measures were in place to prevent sensitive information stored within the system from being viewed.
The court case is the first cybersecurity enforcement action brought by the regulator under a set of rules debuted in March 2017 that require banks and other financial services companies to implement and maintain cybersecurity protections.
The laws require financial services companies licensed to operate in New York to limit access to sensitive data, carry out regular risk assessments, and inform users of any cybersecurity incidents in a timely manner.
First American is accused of violating six sections of the rules. If found guilty, the company could be ordered to pay fines of up to $1,000 per violation.
First American Title Insurance Co. is the second largest insurer of real estate in the United States. A spokesman for the company said First American intends to contest the charges.
“First American strongly disagrees with the New York Department of Financial Services’ charges,” the company said in a statement.
The charges filed by DFS state that First American was aware of vulnerabilities in its document management system for a number of months before news of the flaws was published in 2019 by journalist Brian Krebs. The regulator said the weaknesses were unearthed during a penetration test authorized by First American in late 2018.
According to DFS, mismanagement and a series of administrative errors meant that the flagged flaws went unfixed.
First American said an investigation into the breach by the Nebraska Department of Insurance had found that the company had adequate cybersecurity in place to comply with the New York regulations as of June 30, 2019.