August 06, 2020//Tony HowlettLast Updated: November 24, 2020
The revelation of the blockbuster breach of over 885 million financial records exposed from First American Financial Corporation last year was shocking; one of the largest breaches of consumer data to date. More shocking, still, was the relative lack of publicity it got outside of the security trade publications. But given that their business of title insurance and other mortgage products isn’t something people interact with every day or even every year, most folks outside the IT security industry probably didn’t hear much about this or if they did, they didn’t worry about it too much since they didn’t realize they might have been a customer back when they financed a house. Who remembers who wrote the title insurance on their home? It’s a niche industry with little competition and less oversight than traditional banking.
However, this breach caught the eyes of regulators, namely those at the New York State, Department of Financial Services, or NYS-DFS as it is known. This entity technically only regulates firms doing business in New York, but First American Finance is a publicly-traded company on the New York Stock Exchange (FAF) and writes policies in the state, so it definitely falls under its jurisdiction. Cybersecurity legislation passed by New York State in 2019 called the NYDFS Cybersecurity Regulation or 23 NYCRR 500 by its formal bill title has had many national banks and other publicly traded financial service firms scrambling to comply with its tough regulations. The NYS-DFS notified the firm last week that they would be sanctioning the firm under the Act because of the huge breach. And the possible sanctions under the law can be astronomical. The statutory penalty can be as high as $1,000 per exposed record. And at a possible 885 million records, the fine could reach $885 Billion, which is a fine that is going to leave a mark!
Almost certainly this won’t be the final fine. They will probably negotiate it down quite a bit and years will go by while appeals and various legal maneuvers make their way through the system. However, even a fraction of that amount will be very damaging to a firm that had $6.2 billion in revenue last year. And this is on top of any judgments in class-action civil lawsuits that will certainly be brought against them.
Whether or not they weather this storm will largely depend both on how well they are able to argue their case and how much of the tab their cyber insurance picks up. Fighting the agency’s findings and lawsuits will be made more difficult by the fact that the issues that caused the attack had been found in a penetration test conducted in 2018, a full year before the breach was discovered. So, this means one of two things (most likely): they either ignored those findings, or they failed to properly remediate them. Either way, the vulnerability remained and hackers and internet bots were able to freely gather the personal financial information of its customers.
The amount of data actually accessed remains in dispute, with the filing claiming at least 350,000 records were actively accessed and the company claiming only dozens. And unfortunately, the company, at least so far, has been unable to produce logs to prove their assertion true, hinting that they may not have records going back as far as the vulnerability existed. This means that it will be hard to ever truly know how many people’s financial information was stolen from them.
There are multiple lessons to be learned from this sad tale but two stand out. One is that doing regular vulnerability scans and penetration tests are no good if you don’t follow up on the findings and diligently remediate any valid findings. Making your vulnerability management program a closed loop of continuous improvement is vital to keeping ahead of hackers trying to exploit them. Second, keeping accurate, granular logs of any access, particularly outsiders and third parties of all sensitive data is extremely important and becoming ever more vital in this age of rapidly increasing hacker attacks and regulatory action after them.
The final outcome of this will be watched closely by other covered firms (which include most of the major banks in the country). But don’t wait to hear the final verdict. Make sure your organization is constantly searching for holes and issues in your defenses and quickly plugging them up when found. And make sure your logging regimen goes back far enough to be useful and is granular enough to tell you what is going on so you can catch incidents before they become breaches. To ensure you’re protected from every angle, especially if you allow vendors onto your network, check out our helpful vulnerable vendor checklist.