Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday August 03 2020, @10:18AM   Printer-friendly
from the fitting-punishment-or-cost-of-doing-business? dept.

NY Charges First American Financial for Massive Data Leak:

Santa Ana, Calif.-based First American [NYSE:FAF] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019.

As first reported here last year, First American's website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.

The documents were available without authentication to anyone with a Web browser.

According to a filing (PDF) by the New York State Department of Financial Services (DFS), the weakness that exposed the documents was first introduced during an application software update in May 2014 and went undetected for years.

Worse still, the DFS found, the vulnerability was discovered in a penetration test First American conducted on its own in December 2018.

"Remarkably, Respondent instead allowed unfettered access to the personal and financial data of millions of its customers for six more months until the breach and its serious ramifications were widely publicized by a nationally recognized cybersecurity industry journalist," the DFS explained in a statement on the charges.

[...] The records exposed by First American would have been a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

First American's stock price fell more than 6 percent the day after news of their data leak was published here. In the days that followed, the DFS and U.S. Securities and Exchange Commission each announced they were investigating the company.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Monday August 03 2020, @12:47PM

    by Anonymous Coward on Monday August 03 2020, @12:47PM (#1030686)

    They should have called it America First Patriot USA USA USA No. 1 Bank.

    Prosecution would be impossible - why do you hate America? NOT guilty.

  • (Score: 0) by Anonymous Coward on Monday August 03 2020, @01:05PM (1 child)

    by Anonymous Coward on Monday August 03 2020, @01:05PM (#1030698)

    The right people to go after here are the white hat hackers/the customers complaining about their privacy being breached and maybe the ones exploiting the vulnerabilities for personal gain to the extent they are easy targets. Oh, and if you can find some lame excuse to go after the FANG companies for grandstanding reasons that's a plus as well. Can't actually go after the negligent companies that refuse to patch their vulnerable systems though. That would make too much sense. This is unacceptable.

    • (Score: 0) by Anonymous Coward on Monday August 03 2020, @01:07PM

      by Anonymous Coward on Monday August 03 2020, @01:07PM (#1030699)

      Oh, and let's not forget. We need backdoor encryption because ... it will help us go after all the wrong people when there are plenty of better targets we should have been going after instead.

  • (Score: -1, Troll) by Anonymous Coward on Monday August 03 2020, @01:56PM (3 children)

    by Anonymous Coward on Monday August 03 2020, @01:56PM (#1030726)

    It's New York again. Those Marxist scumbags!

    Interfering with businesses is unamerican and stinks of Ukraininans (Crooked Joe Biden)!

    No one should have the right to interfere with the business affairs of corporations.

    They are people after all. And people have rights!

    Anyone reporting security vulnerabilities at corporations and/or anyone who publishes stories about them should be imprisoned for at least five years and then shot nearly dead and left to die in a pool of their own blood. But not before they are forced to watch their families gang-raped and disemboweled.

    Because that's the American way.

    First American Financial's Political Action Committee (PAC) [opensecrets.org] has made significant donations to political parties and candidates. As such, they must be treated as honored citizens and given every deference.

    But no! Those communists who hate America want to destroy our society, our economy and our democracy.

    That darkie [wikipedia.org] is a communist infiltrator and wants nothing more than lots of hard Muslim cock in her and every woman in the US.

    She's from the Communist state of New York City, which God has cursed with lots of other darkies.

    We need to get rid of her and everyone like her.

    Power to the people (and that includes corporations, because they're people too!)! Down with communist/muslim cock-gobblers who want to murder you and rape your women!

    USA! USA! USA! TRUMP! TRUMP! TRUMP!

    • (Score: 0) by Anonymous Coward on Monday August 03 2020, @05:58PM (2 children)

      by Anonymous Coward on Monday August 03 2020, @05:58PM (#1030815)

      Finally modded troll! Thank goodness!

      It'd been hours since I posted this and it just sat there.

      At least someone has recognized the full trollishness of my comment. Thank you!

      I have to say that I'm pleased (although a little surprised, given the folks around here) that it wasn't modded '+1 Insightful'.

      Although obvious satire (did I lay it on thick enough to obviate Poe's Law?) could get a '+1 Funny' I suppose.

      • (Score: 0) by Anonymous Coward on Monday August 03 2020, @10:24PM (1 child)

        by Anonymous Coward on Monday August 03 2020, @10:24PM (#1030961)

        Everyone already knew it was an EF post.

        • (Score: 0) by Anonymous Coward on Monday August 03 2020, @11:48PM

          by Anonymous Coward on Monday August 03 2020, @11:48PM (#1031001)

          Sorry to disappoint you. I'm not EF. Because EF doesn't post AC. But I do.

          And while my modesty is exceeded only by my fabulousness, I'd point out that mine is a *much* better troll than anything EF does.

          Note to EF: This is a challenge for you to up your game. I've always said you were a fucking asshole, but you're *our* fucking asshole. But you've been slipping lately. Don't let us down EF!

  • (Score: 2) by Thexalon on Monday August 03 2020, @07:33PM

    by Thexalon (636) on Monday August 03 2020, @07:33PM (#1030892)

    If you want to make businesses take the security of their customers' information seriously, you need to charge the people that decided to skimp on security, not the organization that profited from it. Because otherwise, the only people that pay the price are the shareholders, the customers, and some poor underling who had and still has zero power in the organization, who will get scapegoated and fired.

    Unfortunately, that means figuring out who was actually responsible for a decision within an organization, which is basically near impossible to do: When something good happens, absolutely everybody in the organization claims credit. When something bad happens, absolutely everyone in the organization avoids responsibility.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(1)