Krebs on Security revealed that real estate title insurance giant First American Financial Corp. is being investigated by the U.S. Securities and Exchange Commission (SEC) for a data leak that exposed over 885 million personal records from as far back as 2003.
The company allegedly failed to remedy a website design error called Insecure Direct Object Reference (IDOR), in which a link to stored documents containing sensitive information is provided, but not protected. Anyone who locates the link could access the information without authentication. It is not clear who has seen the information, and if it has been mis-used.
First American has since corrected the security design error, and indicated in a statement that it is likely only 32 people have been directly affected by this error. The company has offered free credit monitoring to those individuals.
ACA Aponix Guidance
ACA Aponix recommends taking the following actions to protect non-public personal information:
- Ensure that proper security configuration is in place for all personally identifiable information stored in your firm’s environments. Utilize multi-factor authentication, access rights administration, and other security precautions.
- Regularly evaluate the protection of data stored on company resources, via penetration testing and other preventive measures. Respond with corrective actions as needed.
- Recognize the seriousness of data protection regulation as indicated by the SEC, NYDFS and other regulatory organizations. Prepare for any possible investigations with precautionary security activities, and with mock cybersecurity audits.
How ACA Aponix Can Help
ACA Aponix offers the following solutions that can help your firm avoid a similar data leak.
- Cybersecurity and technology risk assessments
- Penetration testing and vulnerability assessments
- Policies, procedures and governance
- Cyber incident response planning
- Cyber awareness
- Threat intelligence
- Microsoft® Office 365® security assessments
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.