Breach, Data Security, Network Security, Vulnerability Management

Report: SEC looking into First American Financial Corp.’s leaky website

First American Financial Corp. is reportedly the subject of a U.S. Securities and Exchange Commission investigation, following the discovery of a website defect that left 885 million documents exposed to the public.

Earlier this year, the financial services company's website was found to have allowed anyone with a web browser and a URL for a legitimate document to access company documentation and data dating back to 2003, without authentication. This includes bank account numbers, mortgage records, Social Security numbers, drivers' license images, tax records, and records related to wire transactions.

Cybersecurity expert and blogger Brian Krebs, who broke the story about First American, was also first to report the SEC's probe of the case yesterday. The man who initially tipped off Krebs, Seattle-based real estate developer Ben Shoval, reportedly informed Krebs that he received a letter from the SEC requesting documentation related to an investigation into whether "violations of the federal securities laws have occurred" due to the data leak condition.

Regulators in New York are also reportedly investigating the leak, which appears to fall under the state's recently passed New York Department of Financial Services Cybersecurity Regulation, which imposes cybersecurity requirements on financial institutions.

"It's a great step to create cybersecurity regulations, but that doesn’t mean anything unless the regulations are enforced," said Dan Tuchler, CMO of SecurityFirst, in emailed comments. "So it's reassuring to see that there is an investigation by both the SEC and the State of New York – and hopefully fines that compel companies to take data security more seriously."

Krebs said the SEC has declined comment and First American has not responded to questions about the website defect and other related inquiries. The company's last update on the incident, posted on July 16, said that an investigation found that 32 consumers likely had their personal information accessed without authorization.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.