First American Title Insurance has agreed to pay $1 million to the New York State Department of Financial Services over a 2019 data breach and implement new security measures to protect consumers’ data.
First American, the country’s second-largest title insurer, experienced a significant data breach in May 2019 that resulted in the exposure of private consumer information. The insurer collects and stores personal and financial data on “hundreds of thousands” of individuals in its proprietary EaglePro application. The breach stemmed from a vulnerability in First American’s proprietary EaglePro application that allowed individuals to see not only their documents but those of other individuals.
First American first learned of the breach from a cybersecurity journalist, according to the DFS order, who reported that an estimated 885 million documents including Social Security numbers, drivers’ license numbers, and tax and banking information were exposed. The insurer then shut down access to EaglePro and proceeded to remediate the vulnerability.
According to the order, NYDFS found violations of New York’s cybersecurity regulations for financial institutions, including failure to maintain effective governance and classification, access controls and identity management, and risk assessment policies and procedures.
Regulators acknowledged First American’s cooperation throughout the investigation and commitment to remediating the security issues. The NYDFS also stipulated that the insurer could not seek reimbursement of the $1 million penalty under any insurance policy.