Vulnerability may be fixed, but leaves behind headaches
First American Financial Corp., one of the biggest title insurers in the U.S., is being sued by a client who claims the company’s lax security measures put him at risk of identity theft, along with millions of other people whose personal information could be easily accessed through its website.
The lawsuit comes days after First American released a statement saying that it had shut down access to an application whose defect had made possible unauthorized access to customer data. The statement itself was sent in response to a report by cybersecurity expert Brian Krebs, who claimed that First American’s website had exposed about 885 million files dating back to 2003.
The plaintiff, Pennsylvania resident David Gritz, claims that First American Financial and First American Title “allowed anyone to access sensitive files of millions of customers,’’ by using document identification numbers that were sequential.
The files, going back to 2003, contained bank account numbers, Social Security numbers and financial and tax records, Gritz’s lawyers said.
First American has shut down external access and hired an outside forensic firm to determine the extent to which, if any, customer information may have been compromised.
“At this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred,” the company said.
Still, people were concerned.
The company’s shares fell 2.2% on Friday in post-market trading before rebounding somewhat, although the drop is the most the company has experienced since 2011.
Compass Point slashed its price target on the stock to a Street-low of $55.50 from $62, as First American likely faces increasing costs. Analyst Chris Gamaitoni anticipates more spending for actions like reviewing the vulnerability and providing for greater protections moving forward.
Mark DeVries, senior research analyst at Barclays, pointed out that there’s no evidence that anyone apart from Krebs gained unauthorized access to the documents in question, and labeling the incident as a leak “could prove to be a gross mischaracterization of the situation.” After a meeting with First American executives on Tuesday morning, he wrote to Bloomberg that First American would “incur a few million dollars of professional services as a result of this, and may need to revisit some of its technology spend, but unless a material unauthorized accessing of customer information is discovered, the company would not anticipate incurring meaningful costs for credit monitoring.”
Investment banking firm Keefe, Bruyette & Woods, Inc., also concluded that the incident is likely to have little impact on earnings.
Ben Shoval is the real estate developer who initially discovered the vulnerability after getting a link from First American that sent him to a document for his transaction. He noticed, however, that changing a number would grant him access to other people’s documents, including “bank-account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and driver’s license images were available without authentication to anyone with a web browser,” Kreb wrote.
Shoval claims that he didn’t get a response from First American so he then reached out to Krebs, who was able to confirm the vulnerability, estimate its scale, and publicize the weakness.
Gritz is suing on behalf of millions of customers nationwide whose data was compromised. First American “failed to implement even rudimentary security measures,’’ according to the complaint.
Title insurers like First American use their records and public documents to verify a seller is a property’s true owner and that it is free from liens. The companies collect a premium at the closing of the purchase and pay costs that may arise if someone disputes the new owner’s right to the property. That work means they regularly handle private information.