The SEC has reached a roughly $500,000 deal with a real estate settlement services company over its alleged disclosure failures regarding a cybersecurity defect that exposed personal financial information on over 800 million mortgage title insurance records dating back to 2003.
In its order Monday, the SEC said First American Financial Corp.’s information security personnel knew of serious vulnerabilities in the company’s document-sharing system at least five months before an independent journalist warned the public in May 2019, evidenced in an internal report from that January. The commission faulted the Fortune 500 company for lacking disclosure controls and protocols that should have alerted senior management to the problem — and found that when the company’s chief information and security officers did learn of the report and failure to fix the problem, they did not tell senior executives responsible for public disclosures.
In 2019, independent cybersecurity journalist Brian Krebs first reported that documents on First American’s proprietary file-sharing application, Eagle Pro, “were available without authentication to anyone with a web browser.” Senior executives subsequently released a public statement and filed a report with the SEC — while apparently remaining unaware of the January report.
Before Krebs’ story went live, according to the SEC’s order, the reporter emailed First American’s investor relations personnel to notify them that Eagle Pro was “leaking” over 800 million records containing “bank account numbers, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers license images.”
According to the SEC, this vulnerability was traceable to a defect embedded in the Eagle Pro application since 2014, which allowed users with one document link to access other records by altering digits in the URL. What’s more, some document images “transmitted through EaglePro unsecure packages were cached on publicly available search engines,” the order said.
First American’s security team had identified these issues in January following a manual penetration test, and shared its finding with personnel responsible for remediating vulnerabilities — but “due to a clerical error,” the SEC wrote, the security alert was downgraded to a “low risk” level.
Many of these records were also improperly tagged, the commission said. A 2018 internal analysis of the company’s records repository showed that it “potentially contained tens of millions of document images that contained non-public personal information” that were supposed to bear an “SEC (secure) legend,” the order said.
According to a First American Form 9-K published Monday, “the company consented to the entry of an order finding a violation of Rule 13a-15 of the Securities Exchange Act of 1934, which requires issuers of registered securities to maintain effective disclosure controls,” but “neither admits nor denies the findings in the order, other than with respect to the SEC’s jurisdiction.”
Counsel for First American Financial Corp. and counsel for the Security and Exchange Commission did not immediately respond to requests for comment.
The case is In the Matter of First American Financial Corp., case number 3-20367, before the U.S. Securities and Exchange Commission.
Leave a Reply