First American exposed 885 MILLION full datasets. Translation of their statement to plain English

After exposing 885 MILLION full datasets title insurance records, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images, which covers the last 16(!) years, the estate title insurance giant First American Financial Corp issued this statement:

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.”
Translation: We have used a cobbled together web page which had no security audit in any way (because if we had, this would have been checked in the first place, because breaches exactly of this kind are the most common in “the industry” and happened multiple times before on other big sites. If you were logged in to their website, you needed only to manipulate the sequential number in the address bar to get access to any other account. Of course nobody expects to change one number in a 9 digit sequential number to see if there is another record. We are totally surprised! Such things were previously unheard of … NOT!
“At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.”
Translation: Now that we’ve got caught with it, we try some damage control. (Damage control for the company, because the damage for the users and and for the customers of the users already happened in the past)
“The company took immediate action to address the situation and shut down external access to the application.”
Translation: We did not yet fix it, but now that we’ve got caught, we took it offline (which we wouldn’t have needed if we had a full security audit of the public facing side of our site in the first place).
“We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
Translation: We are frantically searching for someone else we can blame – preferably an outsider. Of course we know that all of the data was unencrypted facing the web and evaluate how we can get out of it, because if enough people sue us we might see a billion dollar fine. Other than that: No Comment until it’s all water under the bridge.

Other translations of other breaches would be welcome.

Edit 2019-06-03: Meanwhile New York regulators are investigating the a weakness as the first test of the state’s strict new cybersecurity regulation. That regulation, which went into effect in March 2019 and is considered among the toughest in the USA, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.

Let’s hope they use it to send a strong signal and give them a decent rap on their knuckles.

Edit 2019-07-02: It seems that, according to Bloomberg, a Class Action Lawsuit was filed. That can become expensive …


Photo by Cytonn Photography on Unsplash

4 comments Write a comment

  1. dr-flay

    Unfortunately the online translator systems don’t have Manager as a language option, so thank you for making this a lot clearer.

  2. greybeard

    My concern is of “New York regulators are investigating the a weakness as the first test of the state’s strict new cybersecurity regulation. That regulation, which went into effect in March 2019 and is considered among the toughest in the USA, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.”
    How often is “regularly”?, and shouldn’t it read: ‘provides for fines in all cases where violations are found’.

    Unfortunately happens all to often. Simple misconfiguration of a server by overworked or under trained IT staff. 🙁

    • Regularly is _at least_ once per year and in must be usually done by the CISO (which is usually required – either by the company or by the maintainer).

      Quote from section 500.05 of the regulation:

      The monitoring and testing shall include continuous monitoring or periodic Penetration Testing and vulnerability assessments.
      Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct:
      (a) annual Penetration Testing of the Covered Entity’s Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and
      (b) bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity’s Information Systems based on the Risk Assessment.

      … and the reckless or willful is nor directly part of the regulation, but where the fines are due (there are no sums in the regulation, those are in some other regulations), and “publicly known cybersecurity” is basically a bail out for some new ways to breach it, despite the personal was there and trained and despite they thought they did all to thwart the known threats, or the “all too often” stuff like human errors *) – because humans are still humans and make errors.

      *) too often, to be honest, because security is for some companies obviously still the 5th wheel on the car, and I don’t mean the steering wheel …

Leave a Reply