Skip to main content
close search
site logo

NY reaches $1M breach settlement with First American Title Insurance

The company exposed millions of documents of non-public customer data through a vulnerability in a proprietary application.

Published Nov. 28, 2023
David Jones's headshot
Reporter
Data Breach Button on Computer Keyboard
GOCMEN via Getty Images

Dive Brief:

  • The New York State Department of Financial Services reached a $1 million settlement with First American Title Insurance Co. for violations stemming from a 2019 data leak.
  • The May 2019 breach exposed 885 million documents of non-public customer data due to a vulnerability in the company’s proprietary EaglePro application, the state agency said. The documents dated back to 2003.
  • The investigation found the company, the second-largest title insurance company in the U.S., failed to maintain effective governance and classification, proper access controls and risk assessment policies. First American agreed to implement measures to better secure customer data.

Dive Insight:

The settlement comes just a week after Fidelity National Financial, one of the nation’s largest title insurance companies, was hacked in a suspected ransomware attack. 

Fidelity National Financial, based in Jacksonville, Florida, had to disrupt part of its operations after a suspected ransomware actor gained access to its systems and stole credentials. 

Fidelity is assessing what the near-term financial and operational impact will be on the company and whether the attack would be considered material, according to a filing with the Securities and Exchange Commission. 

The Fidelity attack comes amid heightened efforts to clamp down on cybersecurity risk to critical infrastructure providers, including the financial services sector. 

The Federal Trade Commission just last month amended rules that will require non-bank financial services firms to report data breaches involving more than 500 customers. 

The SEC is also just weeks away from enforcing new incident disclosure requirements for publicly-traded companies.

New York State DFS officials said management at First American learned of the EaglePro vulnerability in May 2019, which allowed anyone with access to a link to see their documents and gain access to other users' documents without the need for authentication.

A report by a cybersecurity journalist that month indicated the vulnerability exposed 885 million documents, including sensitive data like Social Security numbers, drivers licenses and tax and banking information, according to the consent order. The investigation showed that company management learned of the vulnerability prior to the story. 

“We’re pleased that this matter has been resolved,” the company said in an emailed statement. “First American remains committed to supporting our customers in the secure and efficient transfer of real estate in New York.”

Earlier this month, New York amended its cybersecurity regulations to include significant enhancements to governance, training and requirements to report ransomware payments. 

Companies will need to conduct more regular risk assessments, including disaster planning, incident response and business continuity planning. 

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell