Advertisement

SKIP ADVERTISEMENT

New York Regulator to Investigate Exposure of Mortgage Documents

A New York State financial regulator is investigating a security vulnerability at First American Financial Corporation, a title insurance company, that exposed an estimated 885 million records related to mortgage deals.

The inquiry, by the Department of Financial Services, is likely to be followed by other investigations from regulators and law-enforcement authorities into a security failure that exposed 16 years of digital documents containing bank account statements, tax records, Social Security numbers, wire transaction receipts and images from drivers licenses.

In terms of the sheer number of exposed records, the leak appears to be the largest since an attack on Yahoo that compromised three billion user accounts. First American left the documents on a website that was publicly accessible, without any authentication protections, according to a report published on Friday by KrebsOnSecurity, a security news site.

First American said on Tuesday that it had shut down external access to the web application that had revealed the customer data. But the data already revealed was not easy to erase, and some of it remains accessible in search engine caches.

First American said that it had hired an outside firm to investigate the data exposure and that its preliminary work had not yet found any signs of “large-scale unauthorized access” to the data.

But security researchers said that records can be scraped gradually from websites without leaving much trace — and that First American would have no way of knowing when and how the data was viewed unless it was actively monitoring the site that contained the information. Marcus Ginnaty, a spokesman for First American, declined to comment on whether the company was doing so.

Few people outside the real estate industry are familiar with First American, but millions have entrusted their data to the company. First American provides title insurance and settlement services for property sales, which typically require buyers to hand over extensive financial records to other parties in their transactions. The company is one of the largest insurers in the United States, handling around one in every four transactions, according to the American Land Title Association.

The Department of Financial Services sent a letter to First American on Tuesday asking for information about when the security failure was discovered, what steps were taken to fix it and how many people in New York State were affected by it, according to a copy of the letter reviewed by The New York Times.

The investigation is the first begun by the agency under a new state cybersecurity regulation that took effect in March. The rule, considered the strictest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and it allows the agency to impose financial penalties on companies for violations it considers reckless or willful.

A version of this article appears in print on  , Section B, Page 3 of the New York edition with the headline: New York Regulator Investigates Leak Of Mortgage Data. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT