The Securities and Exchange Commission (SEC) has agreed to a settlement with First American over the leak of millions of financial records and subsequent disclosure.
Announced on Tuesday, the settlement will see the case closed in return for a $487,616 penalty and adherence to a cease-and-desist order.
The SEC’s complaints relate to the disclosure of roughly 885 million financial records associated with mortgage deals as far back as 2003 and until 2019.
Cybersecurity expert Brian Krebs reported the issue to the US real estate giant on May 24, 2019, noting that the leak contained bank account numbers, mortgage records, tax data, Social Security numbers, and driver’s license scans, among other information.
The leak was contained to First American’s website and was secured once the company was alerted. First American blamed the extensive security breach on a “design defect,” issued a press statement on May 24, and informed the commission of the exposure on May 28.
However, the SEC says that First American’s actions were not enough to adhere to disclosure rules, as “senior executives responsible for public statements” were not informed of the “magnitude” of the breach.
“In particular, the order finds that First American’s senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it in accordance with the company’s policies,” the agency says.
As a result, SEC alleged that the company failed to disclose all pertinent and relevant information concerning the breach to regulators, and charged First American with breaking disclosure controls and procedures under Rule 13a-15(a) of the Exchange Act (.PDF).
First American has neither confirmed nor denied the SEC’s charges.
ZDNet has reached out to First American and we will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0