A unit of First American Financial exposed hundreds of millions of documents containing sensitive information, according to the New York State Department of Financial Services.
Photo: H. Lorren Au Jr/The Orange County Register/ZUMA PressNew York’s top financial regulator filed charges Wednesday against a subsidiary of insurance company First American Financial Corp. in the first enforcement action by the regulator under a set of rules requiring banks and other financial services companies to maintain cybersecurity protections.
The New York State Department of Financial Services alleged that First American Title Insurance Co., the second-largest real-estate title insurer in the U.S., exposed hundreds of millions of documents containing sensitive information such as Social Security numbers and bank account information over the course of several years.
The exposure stemmed from flaws in a document-management system that allowed anyone to view files without needing passwords or other security measures, DFS said.
In March 2017, the regulator debuted a series of laws that set out how financial services companies licensed to operate in New York should construct their cybersecurity programs. The rules include regular risk assessments, timely notifications of incidents, and ensuring that companies limit access to sensitive customer information. DFS superintendent Linda Lacewell has promised to crack down on cybersecurity failings in the past.
In a statement of charges, the regulator said the subsidiary of Santa Ana, Calif.-based First American was aware of the flaw in its system for a number of months before it was revealed by journalist Brian Krebs in 2019.
Penetration tests commissioned by First American, which essentially authorized specialists to hack its own systems to find weaknesses, discovered the problem in late 2018, DFS said. However, a series of mistakes and administrative errors meant the problem wasn’t classified as a priority to fix, the regulator said.
The company didn’t respond to messages seeking comment.
DFS alleged that First American violated six sections of its rules. The company could face steep fines if found guilty—the regulator said it considers each instance of exposed personal information a separate violation, attracting a penalty of $1,000 each.
DFS has set a hearing for Oct. 26.
Corrections & Amplifications
Charges were filed against First American Title Insurance Co., a subsidiary of First American Financial Corp. A previous version of this article incorrectly said First American Financial was charged. The subsidiary was aware of a flaw in its program for months, the New York State Department of Financial Services alleged. A previous version of this article said the company had known for years. (Corrected on July 22.)
Write to James Rundle at james.rundle@wsj.com and Dylan Tokar at dylan.tokar@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
"first" - Google News
July 22, 2020 at 08:57PM
https://ift.tt/3jvjmLl
New York Regulator Charges First American Unit Over 2019 Data Breach - Wall Street Journal
"first" - Google News
https://ift.tt/2QqCv4E
https://ift.tt/3bWWEYd
Bagikan Berita Ini
0 Response to "New York Regulator Charges First American Unit Over 2019 Data Breach - Wall Street Journal"
Post a Comment