One of the major cybersecurity breaches of 2019 involved First American Financial Corporation – one of the leading real estate title insurance companies. In May 2019, security journalist, Brian Krebs, reported that the company’s website was leaking clients’ data. Ben Shoval, a real estate developer in Seattle, found out that by changing one digit in the company’s URL, anyone could access over 885 million private records belonging to other individuals (Krebs, 2019).
After manipulating the URL, no authentication was needed to access the documents. Information that could be accessed included wire transaction receipts, tax and mortgage documents, bank account numbers, drivers’ license images, and social security numbers. Krebs (2019) notes that this kind of information would be a “virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters” (para. 15).
This incident was chosen due to two reasons – first, it underscores the important role that people and systems play in ensuring data security. Second, when Ben Shoval contacted First American to warn them of the data leaks, the company ignored him, which explains why he resorted to contacting Brian Krebs given the gravity of the issue. While the needed technology might be available, if the people managing it are not careful and compliant to the systems’ demands, the confidentiality of client information might not be guaranteed.
In addition, after being notified of the data leaks, First American should have responded swiftly to address the issue appropriately instead of ignoring the warnings. Zerlang (2017) and Kim and Kim (2017) argue that compliance offers a base level of security, and this incident shows that one of the major challenges of cybersecurity is the failure to take care of basics issues, such as ensuring that primary security measures are put in place and response is swift if a breach occurs.
The implications associated with this breach involve both social and economic aspects. Economically, clients’ privacy was violated, which led to lawsuits based on negligence claims, such as Gritz v. First American Financial Corp., 19-cv-01009, U.S. District Court, Central, District of California (Padwal, Thomas, Howard, & Carr, 2019). Additionally, the company had to retain outside expertise to assess the damage and implement the appropriate security measures to rectify the situation.
Socially, clients are likely to lose trust and confidence with the company because their privacy has been violated. The impact of this data breach on consumer safety and well-being is far-reaching. First, the primary threat of the leaked clients’ information is criminal in nature. For instance, scammers and people using dark web marketplaces are most likely to sell such information to third parties, which is ultimately used in identity theft and other related fraud cases.
It is impossible to assess and determine when and how the stolen personal information will be used in the future. Therefore, consumer safety and well-being cannot be assured under such circumstances.
Moving forward, the company should invest in data security systems to ensure that clients’ information is secure. For instance, the company could employ blockchain technology to strengthen its cybersecurity systems. Kshetri (2017) argues that blockchain is secure by design as its multi-signature protection through interlocked systems makes it difficult for unauthorized parties to access data. Additionally, the company should comply with the existing data protection laws and regulations.
However, First American should have qualified IT personnel to ensure that its systems function effectively and be prepared to respond swiftly in case a breach occurs.
References
Kim, S. –S., & Kim, Y. –J. (2017). The effect of compliance knowledge and compliance support systems on information security compliance behavior. Journal of Knowledge Management, 21(4), 986-1010. Web.
Krebs, B. (2019). SEC investigating data leak at First American Financial Corp. Web.
Kshetri, N. (2017). Blockchain’s roles in strengthening cybersecurity and protecting privacy. Telecommunications Policy, 41(10), 1027-1038. Web.
Padwal, K., Thomas, A., Howard, T., & Carr, M. (2019). Common lessons from disparate information security incidents. A white paper analysis. Web.
Zerlang, J. (2017). GDPR: A milestone in convergence for cyber-security and compliance. Network Security, 6, 8-11. Web.