A massive data leak potentially revealed 885 million documents detailing private mortgage information last month, many including social security and bank account numbers.
First American Financial left copies of mortgage and title documents the company had insured — going back to 2003 — unsecured on the internet until late May.
KrebsonSecurity alerted First American Financial or First American Title after the cyber security news site was contacted by a real estate developer who saw that if someone had a valid link to a document on the site, other documents could be accessed by simply changing the sequence of numbers in the link.
First American provides title insurance, which banks often require for property transactions. The company is the second-largest operating in Texas. It wrote about 20% of all the title insurance policies in the state last year. According to the American Land Title Association that’s about $426 million in business.
The numbers indicate thousands of Texans' data, including bank accounts and social security numbers, could be included.
"It's basically Christmas for cyber criminals and identity thieves," said Max Kilger, professor of cybersecurity at the University of Texas at San Antonio.
Before the website was fixed, the information available could be useful in an increasingly common cyber crime dealing with property sales. According to Kilger, cyber criminals are spoofing emails from mortgage brokers, banks and others to try and scam individuals into wiring money to the people they think they are buying property from. The FBI categorizes this type of cyber crime as “business email compromise” which was the most costly type of crime in 2018.
Despite the dozens of massive data breaches and leaks the U.S. experienced in the past few years, Kilger said he was shocked by the potential size and scope of this incident.
"We purchased a house not that long ago,” he said. “And having that information exposed — that’s really a significant issue."
CEO Dennis Gilmore in a statement last week said First American regrets the concern the defect caused. Gilmore said the company brought in an outside cyber security firm to investigate if anyone accessed the data. According to their website, they don’t have an end date for the investigation.
It is offering free credit monitoring to people who received title insurance, escrow or closing services from First American Title or its affiliates.
The company is being sued in federal court by an individual, and the state of New York launched an investigation last week.
A spokesperson for the Texas Attorney General's office said it doesn’t confirm or deny ongoing investigations.
Even if they wanted to, it would be difficult since Texas laws don’t do much for data breaches.
“Today, literally today, unfortunately there is very little a Texan can do,” said Giovanni Capriglione, a North Texas Republican House member who previously chaired the body’s cyber select security committee.
Capriglione authored HB 4390, which among other things provided more tools for the AG in prosecuting companies with lax data security as well as civil penalties up to $10,000 per violation, capped at $1 million.
The resulting bill strengthened rules involving the timeframe during which a company must notify people whose data was breached, ranging from as soon as possible to within 60 days. It also creates an advisory group that will study the issue. The bill goes into effect Jan. 1.
“When a company violates your safety, which it could with this kind of information,” he said, “I do think the government has a responsibility to go after those bad actors.”