The Securities and Exchange Commission (SEC) on Tuesday announced settled charges against First American Financial Corp., one of the largest mortgage title and settlement services companies in the U.S., alleging cybersecurity breaches when the company exposed sensitive personal information of its customers and did not follow proper incident response when informing customers about the leak.
The SEC's order on the matter noted that a cybersecurity journalist notified First American of a data protection vulnerability on the morning of May 24, 2019, in which it exposed more than 800 million images dating back nearly two decades. The images in the data breach contained sensitive personal data like social security numbers.
First American currently controls 21.07% of the market share for mortgage title companies, second only to Fidelity National Financial, which holds a 32.24% market share. It is one of four mortgage title companies that control nearly all mortgage transactions.
To ensure your information is safe, consider using a credit monitoring service for risk management to alert you to any cyber threats and protect against identity theft. Visit Credible to get started.
First American issued a statement in response to the leak the same day the company was notified of it, but according to the SEC, that wasn't enough of a response plan. The agency's order said the company's senior executives weren't informed that their information security personnel had identified the leak several months earlier, and hadn't fixed the problem, come up with a response plan or told anyone about it. The SEC alleged this poor cyber incident response put personal information at risk.
This information security breach came just before title companies saw a surge in new business in 2020 due to an unprecedented uptick in historic mortgage origination activity, according to the American Land Title Association (ALTA). The title insurance industry generated a total of $19.2 billion in premiums throughout 2020, up from $15.8 billion in 2019. First American generated just less than $4.5 billion of that.
If you have questions about your mortgage, visit Credible and talk to a home loan expert.
"As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it," said Kristina Littman, SEC Enforcement Division cyber unit chief. "Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures."
The order charges First American with violating Rule 13a-15(a) of the Exchange Act when it failed to protect personal information and its risk management plan did not properly inform users about the extent of the data breach, according to the SEC's press release. The company did not admit nor deny the SEC’s findings, but agreed to a cease-and-desist order and to pay a $487,616 penalty.
"We’re pleased to resolve this matter with the SEC and remain committed to compliance with all SEC disclosure control requirements," First American said in a statement.
To ensure you are safe from the next data breach, Credible’s credit monitoring services can help keep you safe from identity theft or other cyber threats by monitoring your credit and alerting you to any new activity.
Data security threats in general are on the rise. A recent report on data security from Verizon shows that phishing attacks increased by 11% annually so far in 2021, while attacks using ransomware rose by 6%.
Keeping security measures in place increases cybersecurity awareness and is important to keep cyber-attackers at bay, protect your personal information and identity, and ensure your credit is not damaged. Having a detection system in place for data protection can ensure the first time you see your identity stolen is not when you go to apply for a credit card. To make sure your personal information is safe, use a credit monitoring service that can alert you to potential cybersecurity threats.
Have a finance-related question, but don't know who to ask? Email The Credible Money Expert at firstname.lastname@example.org and your question might be answered by Credible in our Money Expert column.