SEC settles with First American over massive leak of mortgage data, disclosure

Updated: First American has agreed to a penalty of close to half a million dollars.
Written by Charlie Osborne, Contributing Writer

The Securities and Exchange Commission (SEC) has agreed to a settlement with First American over the leak of millions of financial records and subsequent disclosure. 

Announced on Tuesday, the settlement will see the case closed in return for a $487,616 penalty and adherence to a cease-and-desist order. 

The SEC's complaints relate to the disclosure of roughly 885 million financial records associated with mortgage deals as far back as 2003 and until 2019. 

Cybersecurity expert Brian Krebs reported the issue to the US real estate giant on May 24, 2019, noting that the leak contained bank account numbers, mortgage records, tax data, Social Security numbers, and driver's license scans, among other information. 

The leak was contained to First American's website and was secured once the company was alerted. First American blamed the extensive security breach on a "design defect," issued a press statement on May 24, and informed the commission of the exposure on May 28.  

However, the SEC says that First American's actions were not enough to adhere to disclosure rules, as "senior executives responsible for public statements" were not informed of the "magnitude" of the breach. 

"In particular, the order finds that First American's senior executives were not informed that the company's information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company's policies," the agency says. 

As a result, SEC alleged that the company failed to disclose all pertinent and relevant information concerning the breach to regulators, and charged First American with breaking disclosure controls and procedures under Rule 13a-15(a) of the Exchange Act (.PDF). 

First American has neither confirmed nor denied the SEC's charges. 

Update 16.09 BST: A First American spokesperson told ZDNet:

"We're pleased to resolve this matter with the SEC and remain committed to compliance with all SEC disclosure control requirements."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards