Within the span of a couple months between May and June, a series of headlines hit the industry with the need for cybersecurity issues. Around the same time Baltimore agents were tackling the effects of a ransomware attack on the city, KrebsOnSecurity reported that hundreds of millions of documents related to mortgage deals going back to 2003 were exposed on First American Financial Corp.’s website. Weeks later, ALTA called on companies to take action after warning them that usernames and passwords have been allegedly acquired using a phishing campaign.
The full impact of these incidents might not be felt for a while, though steps are being taken to protect those impacted, but there are lessons to be learned from these and other incidents that have occurred in the last few months.
The incidents
On May 24, KrebsOnSecurity reported that hundreds of millions of documents related to mortgage deals going back to 2003 were exposed on First American Financial Corp.’s website. This includes bank account numbers and statements, mortgage and tax returns, Social Security numbers, wire transaction receipts and drivers license images. All were available without authentication to anyone with a web browser.
KrebsOnSecurity noted that it was contacted by Ben Shoval, a real estate developer in Washington state who initially discovered the exposure. KrebsOnSecurity confirmed that First American’s website exposed 885 million files and that the earliest documents dated back more than 16 years.
“I should emphasize that these documents were merely available from First American’s website; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker),” the KrebsOnSecurity report stated.
“Nevertheless, the information exposed by First American would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today,” the report continued.
In a release regarding its investigation into the information security incident, First American advised that it shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data. In July, First American announced that its investigation into the extent to which customer information may have been compromised in connection with a reported information security incident was completed, with a minimal number of consumers impacted.
On July 16, it announced on its website: “First American Financial Corp. advises that the investigation into the extent to which customer information may have been compromised in connection with the reported information security incident is complete. The investigation identified 32 consumers whose non-public personal information likely was accessed without authorization. These 32 consumers have been notified and offered complimentary credit monitoring services.”
In an earlier update June 18, it shared that it has corrected the reported design defect that created the potential for unauthorized access to certain customer data.
While First American was tackling this exposure, the city of Baltimore was addressing a ransomware attack it experienced May 7. This caused havoc in the liens office and caused underwriters to prohibit agents from issuing title policies, suspending closings on city property.
According to a story in the Baltimore Sun, the city’s computer system has been encrypted with the RobbinHood virus and hackers were requesting 13 Bitcoin to free the city’s system. It further reported that the ransom message said the ransom must be paid within four days or the price would go up.
In the first week of July, in an alert on its website, ALTA stated that a person claiming to be an ethical hacker contacted the association via Twitter, providing files that contain 600 data entries consisting of domain identification, IP addresses, usernames and passwords, as well as information for non-title companies.
The alert stated: “There is no indication the data comes from a specific system breach. There are no signs that the credentials are still active or how they were obtained. We believe this person is also contacting individuals and companies they can identify from the data.”
In a later update, ALTA noted that the information sent to it offered no indication of how the credentials were obtained, whether the credentials were current or active and whether the credentials provided access to any individual company networks, software applications, online email systems or other credential-based products or services.
It said its analysis found 182 unique email addresses and 154 unique domains. The alert stated that ALTA would contact companies’ primary contact if their company domain was found.
Need for action
Francoise Gilbert, CEO of DataMiningLegalServices, said these recent security incidents are examples of the poor state of information security throughout the United States.
“Whether large or small, any entity that is the custodian of valuable or sensitive information of others has an obligation to protect this information,” she said. “In the case of recent examples of the security breach that affected on of the largest U.S. credit reporting agencies, and one of the largest U.S. title insurance companies, both organizations were regulated as financial services entities. This market sector has been regulated for years. There are laws and regulations requiring the implementation of adequate physical, technical and administrative measures to protect personal information.”
Jerald Ray, COO, SecureAge, noted that “regulatory compliance, best efforts and state of the art technology all make sense and work … when everyone is playing by the same rules. The IT security professionals in these large companies are smart, motivated, and doing their very best to secure customer data within a secure working environment for their own employees. But the constraints under which they work, such as compliance with regulations, security audits, and budgets, have no bearing on those launching cyberattacks with an interest in taking that data.
“Security systems will be tested by highly skilled and motivated adversaries,” he continued. “Attackers don’t care about regulatory compliance, don’t care about industry standards or audits. And they don’t care about your customers, or the security tool brands that they are up against. Rather than comply with regulations and best practices, consider the data at risk to be that of those most vulnerable, your family, or yourself.”
Gilbert and Ray said that little improvement will occur unless a serious commitment to security is made.
“When I was a young lawyer in the late 1980s, security breaches already occurred. That’s what drove me to this area as a young lawyer,” Gilbert stated. “Thirty-five years later, I see little progress. There are a few more laws, and in the past 15 years, all U.S. states adopted laws requiring the disclosure of security breaches. Security technologies have been developed. Despite legal and technical developments in the past 35 years, breaches keep occurring and their magnitude is increasing.”
“Tragically, the breaches have had seemingly little impact to date, as they continue to happen at a rapidly increasing frequency and scale,” Ray stated. “Any hope for a significant impact comes from the penalties and settlements reached that push companies collecting data into an economic cost-benefit analysis that favors investment in security versus payment of penalties.
“If the trend of increased data breaches is not remarkably reversed, we could enter an era of universal complacency,” he continued. “Consumers accept these data breaches are beyond their comprehension and not the fault of the companies who retain the data, but instead only the fault of malicious individuals. While the blame may be correct, the net result may be a giant step backward for economic progress enabled by computing advances.”
Practical lessons
There are also many practical lessons companies can take from recent actions. Mitch Tanenbaum, partner and CISO, CyberCecurity, noted that recent ransomware cases in particular provide procedures to think about. Baltimore was not the only city to be attacked by rasomware recently. So did Lake City, Fla., which paid the ransom. Although that is a decision each entity must make for itself, he said, every entity needs to figure out a way to get back up and running as quickly as possible.
He noted that a company he knows of was down for a week so far. Baltimore was shut down for weeks on end.
“You will be down until you [enact] whatever your recovery mechanism is,” Tanenbaum said. “If you don’t have a business continuity plan, if you don’t have a disaster recovery strategy, if you don’t have an incident response process, then you are likely going to be down much longer. You are not going to have a good way to deal with your customers.”
Ray said agents should encrypt data in its most elemental form – the data file.
“Encrypted tunnels between machines throughout networks, or encrypted volumes or hard drive that must be opened for data to be accessed will not protect any single file when it is plain,” he said. “A breach of encrypted data is infinitely better than the loss of anything that can be read in plain text.
“Consider data protection as a fundamental cost of goods or services sold,” Ray continued. “It’s not a generous or optional add-on for goodwill. Increasingly, customers will demand data security to be the product they are buying with whatever personal information they are willing to give up. A failure to protect personal financial data of customers is the same as failing to dispose of industrial waste, or to deliver the full quantity of good purchased, or to fulfill the seller’s obligations in any agreed upon commercial transaction.”
Gilbert provided several steps industry members should take in light of these recent breaches:
- Get the right budget;
- Get the best security team possible;
- Don’t mix information technology and information security. She said these require two very different types of expertise;
- Monitor the operations, again and again; and
- Train your personnel. She said this needs to be meaningful training and not just enough training to pass a test.
Impact of recent state actions
In recent years, there has been a movement toward increased compliance requirements and new cybersecurity and privacy laws. Ray Hutchins, managing partner, CyberCecurity, noted there is a trend in nonauthoritarian societies around the world toward granting citizens rights over their data. He noted that businesses are not used to having to acknowledge and work around these rights that laws like the California Consumer Privacy Act are providing to citizens. They have to change the way the collect track, map and control the date they manage as part of their business.
Rudy Silva, Southeast practice director, GoldSky Security, noted that spaces outside financial services and healthcare have not had to adopt these cybersecurity and data security policies before now.
California and New York may have been the first, but more regulation around privacy and cybersecurity is coming at the state level.
“Other organizations are going to have to contend with [these new laws and regulations] and I think it’s a good thing in the long term because it’s going to force them to get their head out of the sand, but there are going to be some costs associated with it at the outset, which is part of doing business, I would say,” he said.
Tanenbaum added that among other things, these laws give consumers a private right of action to sue anyone who is holding their data, without having to show there was any harm. For instance, if there were 1 million individuals in California affected by a data breach, and each is entitled to $750 without having to show any harm, that would be a total of $750 million. These types of breaches would put a small independent title company out of business.
The new California law and others coming from other states could have an impact on future cases that are similar to First American’s. Days after the data exposure was announced, Gibbs Law Group LLP filed the first nationwide class action lawsuit accusing First American Title Company of failing to properly secure 885 million sensitive customer files, instead choosing to store them in a publicly accessible system. The case, David Gritz, on behalf of himself and all others similarly situated v. First American Financial Corp. and First American Title Company, was filed in the U.S. District Court for the Central District of California.
Specifically, the lawsuit alleges that First American Title Co. was negligent, and violated its contracts with customers, in the way it stored their personal information, which included bank account numbers, Social Security numbers, financial and tax records, and photos of their drivers’ licenses. This “grave lapse in security” resulted in publicly exposing hundreds of millions of customers’ personal files, leaving them vulnerable to identify theft and other cybercrimes.
It noted that in the section titled Confidentiality and Security, First American states: “We will use our best efforts to ensure that no unauthorized parties have access to any of your information. We restrict access to nonpublic personal information about you to those individuals and entities who need to know that information … We currently maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your nonpublic personal information. The complaint alleges claims for Unlawful, Unfair and Fraudulent Business Practices, violation of the Consumers Legal Remedies Act, Breach of Contract, unjust enrichment, negligence per se, and negligence.
In addition to that lawsuit, three law firms announced investigations into Financial Corp. and First American Title Insurance Co. regarding its reported data exposure.
On May 30, consumer rights litigation firm Haeggquist & Eck, LLP, announced its investigation into First American Title Insurance Co. In a release announcing its investigation, the firm noted that First American may have allowed unauthorized access to more than 885 million records related to mortgage deals going back to 2003.
Kahn Swick & Foti LLC, announced that Charles Foti Jr., a partner and former attorney general of Louisiana began an investigation into First American Financial Corp. The announcement stated that the firm’s investigation is focusing on whether First American’s officers and/or directors breached their fiduciary duties to First American’s shareholders or otherwise violated state or federal laws.
On May 31, Hagens Berman Sobol Shapiro LLP alerted investors in First American Financial Corp. to the firm’s investigation into possible personal data breaches.
“We’re focused on whether the reported security flaw has in fact led to data breaches and, if so, whether First American suffered damages,” Hagens Berman partner Reed Kathrein said.