SEC Investigating Data Leak at First American

August 22, 2019 by ACA Aponix

Krebs on Security revealed that real estate title insurance giant First American Financial Corp. is being investigated by the U.S. Securities and Exchange Commission (SEC) for a data leak that exposed over 885 million personal records from as far back as 2003.

The company allegedly failed to remedy a website design error called Insecure Direct Object Reference (IDOR), in which a link to stored documents containing sensitive information is provided, but not protected. Anyone who locates the link could access the information without authentication. It is not clear who has seen the information, and if it has been mis-used.

First American has since corrected the security design error, and indicated in a statement that it is likely only 32 people have been directly affected by this error. The company has offered free credit monitoring to those individuals.

ACA Aponix Guidance

ACA Aponix recommends taking the following actions to protect non-public personal information:

  • Ensure that proper security configuration is in place for all personally identifiable information stored in your firm’s environments. Utilize multi-factor authentication, access rights administration, and other security precautions.
  • Regularly evaluate the protection of data stored on company resources, via penetration testing and other preventive measures. Respond with corrective actions as needed.
  • Recognize the seriousness of data protection regulation as indicated by the SEC, NYDFS and other regulatory organizations. Prepare for any possible investigations with precautionary security activities, and with mock cybersecurity audits.

How ACA Aponix Can Help

ACA Aponix offers the following solutions that can help your firm avoid a similar data leak.


If you have any questions, please contact your ACA Aponix consultant or email us at