back to article Congrats, First American Title Insurance, you've made technology history. For all the wrong reasons

A California-based insurer that inadvertently left tens of millions of private customer records open to the internet has become the first company to be charged by New York's Department of Financial Services (DFS) for cybersecurity rule violations. The Empire State's financial regulator said First American Title Insurance was …

  1. jason_derp Bronze badge

    Well then

    "First American strongly disagrees with the New York Department of Financial Services’ charges relating to a limited cybersecurity incident from May 2019."

    Well, the two stances are mutually exclusive. Provided the DFS is correct, I'm assuming that means we get to play that classic game called "Liar or Dipshit". (Protip: the answer is always 'C', both of them.)

    1. HildyJ Silver badge
      Devil

      Re: Well then

      I'd go with liar and clueless because dipshit is synonymous with title insurance company.

      But the answer would still be C.

      As for the blessing from Nebraska, they are just desperate to keep the company from moving to a more forgiving state.

      1. ST Silver badge

        Re: Well then

        > As for the blessing from Nebraska [ ... ]

        Well, the blessing from Nebraska is completely irrelevant in New York State.

    2. logicalextreme Bronze badge

      And there it is again

      That golden phrase that keeps making the rounds is their justification for the "disagreement" (after taking a brief diversion wherein they explicitly describe how they were in fact guilty of the charges they disagree with): "…and otherwise found no evidence…".

      I hope that one day soon one of these laws gets a provision added to it that triples the fine in the event of the attempted use of any variant of those words by the offending party.

  2. Pascal Monett Silver badge

    "First American strongly disagrees"

    Well duh. I would also strongly disagree with a cop arresting me for drug trafficking. That doesn't necessarily mean the cop is wrong (in my case, yes, he would be, but bear with me).

    I really have a hard time with companies being caught red-handed and then publishing bullshit like they "disagree" with the charges.

    So. Fucking. What.

    You go to court, you dispute the charges there, and you bear the result.

    In this case, the court case is pretty much already sewn up. The data was available. It's your bloody fault.

    The only question left is : is this going to be a case of Too Big To Fail ?

    Because we all know that, when real money is involved, the government will swoop in with bailout money, even if the cause is criminal incompetence.

    1. Mike the FlyingRat
      Boffin

      @Pascal Re: "First American strongly disagrees"

      The reason that they dispute the charges is not so much any fines that they may pay to settle this... but the class action lawsuit that is sure to come.

      They will end up going bankrupt or out of business because of this...

      Whoever designed their website should be shot.

      1. Chris G Silver badge

        Re: @Pascal "First American strongly disagrees"

        Not only the designer, who was probably nailed to the floor on price but also the idiot who signed off on the project.

        If you have that responsibility, you ought to make an effort to understand exactly what you are responsible for.

        Insurance companies are all about avoiding payouts of any kind that don't go to the C suite.

      2. John Brown (no body) Silver badge

        Re: @Pascal "First American strongly disagrees"

        "The reason that they dispute the charges is not so much any fines that they may pay to settle this... but the class action lawsuit that is sure to come."

        Can or should a company be punished twice for the same offence?

  3. IceC0ld Silver badge

    $1000 per failing, 850 MILLION exposed

    even in the USA, THAT is a LOT of moolah

    hard to see how they will excuse this, but I will never put anything past the professional liars / lawyers involved

    1. Anonymous Coward
      Anonymous Coward

      "even in the USA, THAT is a LOT of moolah"

      Yes, but there is a massive difference between amount fined and amount collected.

      (See Ajit Pai's FCC fines against robocallers for instance.)

      1. DS999

        There is a difference

        Robocallers can move assets around easily and leave little or nothing to collect in fines. Insurance companies are heavily regulated and have to show sufficient assets to meet a legally required portion of claims. They won't be able to pay out $850 billion, but they'll be able to pay out more than all fines we'll ever collect from telemarketers combined.

      2. MachDiamond Silver badge

        "(See Ajit Pai's FCC fines against robocallers for instance.)"

        Ajit Paid seems to be on so many outside payrolls it's hard to keep track. At least his actions strongly hint at corruption.

    2. Tom Chiverton 1

      Just tie it up in court for years then quietly reach a settlement that mostly benefits lawyers.

      Cheaper than paying out, SOP

  4. Mike 137 Silver badge

    The RFC 2616 GET (anything you want) method

    The use of GET without sanitisation, validation or authentication is so appallingly common that this is just another example. Brilliant that it's being prosecuted though even if only at state level. Interesting that it's under "cybersecurty" and not "data protection" or "privacy". Maybe we in the UK would do well to follow this lead, seeing how toothless our data protection regulation seems to be (and it can only get worse from 2021 on).

  5. David Taylor 1

    Such tortuous prose

    I know noone can afford editors, but this is painful to read.

    "The exposed documents were stored in First American Title Insurance's FAST: a database responsible for holding hundreds of millions of scans of customers' official documents for things like mortgage filings. It is said that in 2014, a vulnerability was accidentally introduced to EaglePro, which is First American's web-based software that shares documents via email from FAST with customers.

    That flaw that could be exploited to view any image in the system: documents sent via EaglePro were displayed from a URL that had a ImageDocumentID parameter that could be changed to any other value to pull up other people's paperwork with no authorization checks performed."

  6. spacecadet66

    Well it's not like there's a handy top-10 list, that you might expect all Web developers to be familiar with, of common Internet security flaws...[checks notes]...oh wait there is.

    https://owasp.org/www-project-top-ten/, the instant blunder is #5, "Broken Access Control."

    Hopefully the penalty in this case will be high enough to make people sit up and take notice.

    1. MachDiamond Silver badge

      "Hopefully the penalty in this case will be high enough to make people sit up and take notice."

      Penalties for this sort of breach should be high enough to delete the company and have the directors banned from the business for life. Until that sort of thing is a strong possibility, they will continue to calculate the risk v. cost when it comes to security instead of making data security an overriding priority.

      1. jtaylor

        Penalties for this sort of breach should be high enough to delete the company and have the directors banned from the business for life. Until that sort of thing is a strong possibility, they will continue to calculate the risk v. cost when it comes to security instead of making data security an overriding priority.

        If the goal is revenge, then yes, liquidate the company and leave their employees without work and their customers without coverage.

        If the goal is to deter this from happening again, we should look at what caused the situation, what permitted it, and what the final outcomes were. I suspect that "cost avoidance" was a major cause. Probably also poor understanding of the risks by the people who made decisions. This was likely permitted by poor oversight, maybe a weak company culture of integrity, and the perception that the people who benefitted from the decision were separate from those who would bear the costs.

        I'd like to see some independent security guarantee, required by lenders, brokers, estate agents, and licensing bodies. They need to know whether they can trust suppliers. Clearly, they didn't.

        Final outcomes are being decided now. I hope it doesn't simply add injury to those who were already harmed.

  7. JCitizen Bronze badge
    Megaphone

    It's about time...

    That somebody got their butt kicked over lack of security like this; even if it is just a state prosecution. I'd like to see more Federal butt kicking going on for interstate/national companies. But, maybe the SEC will also weigh in on this one.

  8. Throatwarbler Mangrove Silver badge
    Facepalm

    Guys, it's cool

    This is just a little mom-and-pop shop with no resources to address an issue like this. We should cut them a little slack under the knowledge that they're doing their best. They're certainly not a massive behemoth of a company with a virtual monopoly on real estate title closures, allowing them to rake untold scads of dollars off of every property sale in America for minimal effort.

    (For the sarcasm-impaired, every word of the above is a lie.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020