Company sued by client; Data leak under investigation
Real estate giant First American Financial Corp (NYSE:FAF), that suffered a serious data leak recently, was sued by a client late last month for failing to implement “even rudimentary security measures” and putting millions of clients’ information at risk. KrebsOnSecurity had broken the news about the exposed data on May 24, 2019. Nearly 885 million client records including bank account numbers and statements, mortgage and tax records, and social security numbers were affected by the leak. Anyone using a web browser could access these records without authentication until the vulnerability was fixed by First American. KrebsOnSecurity was informed of the situation by a real estate developer from Washington state who had earlier also alerted FAF but had not received a response from the company.
In March 2019, the New York Department of Financial Services (NYDFS) introduced new cybersecurity regulation – 23 NYCRR 500 – that covers financial entities ranging from state and private banks to mortgage and insurance companies. The new regulation is seen as one of the strictest in the country, and will be applied to the investigation of the FAF data exposure which is already underway. State authorities may impose heavy fines on First American if the violations are found to be willful or reckless.