Security News > 2021 > June > First American Financial Pays Farcical $500K Fine
In May 2019, KrebsOnSecurity broke the news that the website of mortgage settlement giant First American Financial Corp. [NYSE:FAF] was leaking more than 800 million documents - many containing sensitive financial data - related to real estate transactions dating back 16 years.
According to data from the American Land Title Association, First American is the second largest mortgage title and settlement company in the United States, handling nearly a quarter of all closings each year.
Aside from its core business competency - checking to make sure the property at issue in any real estate transaction is unencumbered by any liens or other legal claims against it - First American basically has one job: Protect the privacy and security of all these documents.
Roughly five months before KrebsOnSecurity notified First American that anyone with a web browser could view sensitive document in its "Eagle Pro" database online just by changing some characters at the end of a link, an internal security audit at First American flagged the exact same vulnerability.
The SEC took aim at First American because a few days after our May 24, 2019 story ran, the company issued an 8-K filing with the agency stating First American had no prior indication of any vulnerability.
Documents from New York financial regulators show First American was unable to determine whether records were accessed prior to Jun 2018.