By Jonathan Stempel
NEW YORK (Reuters) – First American Financial Corp
The New York State Department of Financial Services said Social Security numbers, bank account numbers, drivers’ licenses and other records were exposed from October 2014 to May 2019 because of a known vulnerability in First American’s website.
It said First American’s cyber defense team discovered the vulnerability in December 2018 by conducting a simulated cyberattack known as a “penetration test,” but the company ignored the team’s urging that it follow up.
Penalties could be significant, because the regulator considers each instance of exposed personal information a separate violation, with a maximum $1,000 penalty.
First American said on May 24, 2019, that it had fixed the vulnerability, after cybersecurity specialist Brian Krebs wrote that 885 million records dating to 2003 had been exposed. The company’s stock price fell 6.3% on the next trading day.
In a statement on Wednesday, First American said it “strongly disagrees” with the charges.
The Santa Ana, California-based company said its own probe found only a “very limited number” of consumers, none from New York, had personal information accessed without permission, and otherwise found no evidence of misuse.
“We intend to vigorously defend ourselves against the department’s unreasonable charges,” it said.
The financial services department said First American’s own review found more than 350,000 documents had been accessed improperly from June 2018 to May 2019 by automated “bots” or “scraper” programs.
First American was charged with violating six provisions of the department’s cybersecurity regulation, which took effect in March 2017.
It requires that banks and insurers licensed to operate in New York have “robust” cybersecurity programs, and monitor them regularly.
A hearing is scheduled for Oct. 26.
(Reporting by Jonathan Stempel in New York; editing by Jonathan Oatis)