First American Financial Corp. is reportedly the subject of a U.S. Securities and Exchange Commission investigation, following the discovery of a website defect that left 885 million documents exposed to the public.
Earlier this year, the financial services company's website was found to have allowed anyone with a web browser and a URL for a legitimate document to access company documentation and data dating back to 2003, without authentication. This includes bank account numbers, mortgage records, Social Security numbers, drivers' license images, tax records, and records related to wire transactions.
Cybersecurity expert and blogger Brian Krebs, who broke the story about First American, was also first to report the SEC's probe of the case yesterday. The man who initially tipped off Krebs, Seattle-based real estate developer Ben Shoval, reportedly informed Krebs that he received a letter from the SEC requesting documentation related to an investigation into whether "violations of the federal securities laws have occurred" due to the data leak condition.
Regulators in New York are also reportedly investigating the leak, which appears to fall under the state's recently passed New York Department of Financial Services Cybersecurity Regulation, which imposes cybersecurity requirements on financial institutions.
"It's a great step to create cybersecurity regulations, but that doesn’t mean anything unless the regulations are enforced," said Dan Tuchler, CMO of SecurityFirst, in emailed comments. "So it's reassuring to see that there is an investigation by both the SEC and the State of New York – and hopefully fines that compel companies to take data security more seriously."
Krebs said the SEC has declined comment and First American has not responded to questions about the website defect and other related inquiries. The company's last update on the incident, posted on July 16, said that an investigation found that 32 consumers likely had their personal information accessed without authorization.