On May 29, 2019, The New York Times reported that New York’s Department of Financial Services “is investigating a security vulnerability at First American Financial Corporation, a title insurance company, that exposed an estimated 885 million records related to mortgage deals.”
According to The New York Times:
The inquiry, by the Department of Financial Services, is likely to be followed by other investigations from regulators and law-enforcement authorities into a security failure that exposed 16 years of digital documents containing bank account statements, tax records, Social Security numbers, wire transaction receipts and images from drivers licenses.
In terms of the sheer number of exposed records, the breach appears to be the largest since an attack on Yahoo that compromised three billion user accounts. First American left the documents on a website that was publicly accessible, without any authentication protections, according to a report published on Friday by KrebsOnSecurity, a security news site.
First American said on Tuesday that it had shut down external access to the web application that had revealed the customer data. But the data already revealed was not easy to erase, and some of it remains accessible in search engine caches.
The New York Times also reported that the probe by the Department of Financial Services “is the first begun by the agency under a new state cybersecurity regulation,” a regulation “considered the strictest in the nation,” and which “requires financial companies to regularly audit and report on how they protect sensitive data.” The cybersecurity regulation also, according to The New York Times “allows the agency to impose financial penalties on companies for violations it considers reckless or willful.”