First American Title Insurance Co., the country’s second-largest title insurer, agreed to pay New York state $1 million for violating the state’s Cybersecurity Regulation, which since 2017 has required companies meet minimum standards for protecting customer data.
The agreement with the New York Department of Financial Services stems from a May 2019 incident in which cybersecurity journalist Brian Krebs wrote about a vulnerability that exposed hundreds of millions of documents in the company’s EaglePro application. The application provides users access to documents related to real estate transactions.
Krebs wrote on his blog, "Krebs on Security," that he was able to view consumers’ Social Security numbers, drivers’ license numbers, tax and banking information in some documents, according to the settlement with DFS.
Individuals with a link to access EaglePro “could access not only their own documents without authentication, but also those of individuals in unrelated transactions,” DFS said.
Title insurers such as First American protect homebuyers and mortgage lenders in the case of defects in a title, such as unknown liens or back taxes owed on a property.
The lack of controls needed to prevent unauthorized users from gaining access to consumers’ non-public information violated the state’s Cybersecurity Regulation.
Prior to publication of the article on the breach, First American had shut down external access to the application and notified DFS on May 27, 2019. The department’s investigation found that First American first learned of the vulnerability in December 2018 and produced an internal report that showed changing part of a URL used to access one document to another sequential number allowed users to get access to other documents without authentication.
The internal report also showed some documents could be found using Google searches, though it noted none of the documents it reviewed contained non-public personal information.
The department told Newsday it does not know how many New Yorkers were affected by the breach. It acknowledged in the agreement that First American had cooperated with the investigation and taken steps to strengthen its information security program.
In a statement to Newsday, First American said it is pleased the matter has been resolved.
“First American remains committed to supporting our customers in the secure and efficient transfer of real estate in New York,” the company said in a statement.
The amount of personal financial data shared with title insurers makes them a target for hackers. Another top U.S. title insurer, Fidelity National Financial, said earlier this month that a cyberattack had disrupted its operations.