Congrats, First American Title Insurance, you've made technology history. For all the wrong reasons A California-based insurer that inadvertently left tens of millions of private customer records open to the internet has become the first company to be charged by New York's Department of Financial Services (DFS) for cybersecurity rule violations. The Empire State's financial regulator said First American Title Insurance was …
"First American strongly disagrees with the New York Department of Financial Services’ charges relating to a limited cybersecurity incident from May 2019."
Well, the two stances are mutually exclusive. Provided the DFS is correct, I'm assuming that means we get to play that classic game called "Liar or Dipshit". (Protip: the answer is always 'C', both of them.)
That golden phrase that keeps making the rounds is their justification for the "disagreement" (after taking a brief diversion wherein they explicitly describe how they were in fact guilty of the charges they disagree with): "…and otherwise found no evidence…".
I hope that one day soon one of these laws gets a provision added to it that triples the fine in the event of the attempted use of any variant of those words by the offending party.
Well duh. I would also strongly disagree with a cop arresting me for drug trafficking. That doesn't necessarily mean the cop is wrong (in my case, yes, he would be, but bear with me).
I really have a hard time with companies being caught red-handed and then publishing bullshit like they "disagree" with the charges.
So. Fucking. What.
You go to court, you dispute the charges there, and you bear the result.
In this case, the court case is pretty much already sewn up. The data was available. It's your bloody fault.
The only question left is : is this going to be a case of Too Big To Fail ?
Because we all know that, when real money is involved, the government will swoop in with bailout money, even if the cause is criminal incompetence.
The reason that they dispute the charges is not so much any fines that they may pay to settle this... but the class action lawsuit that is sure to come.
They will end up going bankrupt or out of business because of this...
Whoever designed their website should be shot.
Not only the designer, who was probably nailed to the floor on price but also the idiot who signed off on the project.
If you have that responsibility, you ought to make an effort to understand exactly what you are responsible for.
Insurance companies are all about avoiding payouts of any kind that don't go to the C suite.
Robocallers can move assets around easily and leave little or nothing to collect in fines. Insurance companies are heavily regulated and have to show sufficient assets to meet a legally required portion of claims. They won't be able to pay out $850 billion, but they'll be able to pay out more than all fines we'll ever collect from telemarketers combined.
The use of GET without sanitisation, validation or authentication is so appallingly common that this is just another example. Brilliant that it's being prosecuted though even if only at state level. Interesting that it's under "cybersecurty" and not "data protection" or "privacy". Maybe we in the UK would do well to follow this lead, seeing how toothless our data protection regulation seems to be (and it can only get worse from 2021 on).
I know noone can afford editors, but this is painful to read.
"The exposed documents were stored in First American Title Insurance's FAST: a database responsible for holding hundreds of millions of scans of customers' official documents for things like mortgage filings. It is said that in 2014, a vulnerability was accidentally introduced to EaglePro, which is First American's web-based software that shares documents via email from FAST with customers.
That flaw that could be exploited to view any image in the system: documents sent via EaglePro were displayed from a URL that had a ImageDocumentID parameter that could be changed to any other value to pull up other people's paperwork with no authorization checks performed."
Well it's not like there's a handy top-10 list, that you might expect all Web developers to be familiar with, of common Internet security flaws...[checks notes]...oh wait there is.
https://owasp.org/www-project-top-ten/, the instant blunder is #5, "Broken Access Control."
Hopefully the penalty in this case will be high enough to make people sit up and take notice.
"Hopefully the penalty in this case will be high enough to make people sit up and take notice."
Penalties for this sort of breach should be high enough to delete the company and have the directors banned from the business for life. Until that sort of thing is a strong possibility, they will continue to calculate the risk v. cost when it comes to security instead of making data security an overriding priority.
Penalties for this sort of breach should be high enough to delete the company and have the directors banned from the business for life. Until that sort of thing is a strong possibility, they will continue to calculate the risk v. cost when it comes to security instead of making data security an overriding priority.
If the goal is revenge, then yes, liquidate the company and leave their employees without work and their customers without coverage.
If the goal is to deter this from happening again, we should look at what caused the situation, what permitted it, and what the final outcomes were. I suspect that "cost avoidance" was a major cause. Probably also poor understanding of the risks by the people who made decisions. This was likely permitted by poor oversight, maybe a weak company culture of integrity, and the perception that the people who benefitted from the decision were separate from those who would bear the costs.
I'd like to see some independent security guarantee, required by lenders, brokers, estate agents, and licensing bodies. They need to know whether they can trust suppliers. Clearly, they didn't.
Final outcomes are being decided now. I hope it doesn't simply add injury to those who were already harmed.
This is just a little mom-and-pop shop with no resources to address an issue like this. We should cut them a little slack under the knowledge that they're doing their best. They're certainly not a massive behemoth of a company with a virtual monopoly on real estate title closures, allowing them to rake untold scads of dollars off of every property sale in America for minimal effort.
(For the sarcasm-impaired, every word of the above is a lie.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
