Close desktop login portal

Client Login

Select one of the portals below and login with your credentials

Advisory

Richey May Advisory provides the full spectrum of transformative solutions for your business. From Technology and Risk Management to Specialty Audit Services and more, Richey May Advisory has the solutions you need to find and focus on your competitive advantage.

Learn More

Richey May Advisory

Richey May Advisory provides the full spectrum of transformative solutions for your business. From Technology and Risk Management to Specialty Audit Services and more, Richey May Advisory has the solutions you need to find and focus on your competitive advantage.

Learn More

Contact Us

Richey May Headquarters
9780 S Meridian Blvd., Suite 500
Englewood, CO 80112
Directions
303-721-6232

Question or comments?  Click here to fill out our inquiry form.

Richey May Advisory

Richey May Advisory provides the full spectrum of transformative solutions for your business. From Technology and Risk Management to Specialty Audit Services and more, Richey May Advisory has the solutions you need to find and focus on your competitive advantage.

Learn More

Richey May Advisory

Richey May Advisory provides the full spectrum of transformative solutions for your business. From Technology and Risk Management to Specialty Audit Services and more, Richey May Advisory has the solutions you need to find and focus on your competitive advantage.

Learn More

Contact Us

Richey May Headquarters
9780 S Meridian Blvd., Suite 500
Englewood, CO 80112
Directions
303-721-6232

Question or comments?  Click here to fill out our inquiry form.

Mobile menu toggle
Back to menuBack to menu
Richey May Headquarters
9780 S Meridian Blvd., Suite 500
Englewood, CO 80112
Directions
303-721-6232

Employment Documents

Testing4321

Technology

Mortgage Industry Data Breach

Articles by: Richey May, May 29, 2019

Mortgage Industry Data Breach

May 2019 – On Friday, news broke on Krebs on Security that First American Financial Corp, a title insurance company headquartered in California with $5.8B in annual revenue and more than 18,000 employees, had potentially exposed millions of records of non-public confidential consumer information due to a significant flaw in their online web portal. The vulnerability was first discovered by a developer who attempted to contact First American Financial to notify them about the issue. Due to the lack of a timely response from the company, the developer notified Brian Krebs so that he could make a public announcement.

Specifically, the developer discovered that it was possible to recall documents submitted by consumers with clear details such as Social Security Numbers, bank routing information and contact information for parties to title insurance transactions. These details are extremely useful to threat actors for use in Phishing and Business Email Compromise attacks. While it does not appear that any non-public consumer information that may have been accessed as a result of this vulnerability has actually turned up online, the information was clearly visible and accessible.

While this is just another in a long string of announced data breaches, companies can and should seek to learn from it. First, when custom developing an application, formal security testing should be completed to ensure that the application addresses the OWASP Top 20 security vulnerabilities. In reference to the First American Financial Corp incident, being able to manually manipulate the URL of the website to recall documents would have been a basic vulnerability identified as part of this type of testing.

Second, companies should consider having a third party conduct annual penetration tests that include, at a minimum, testing of all public-facing applications including web portals. Such penetration tests should uncover vulnerabilities like the one identified within First American’s online environment.

Given the current regulatory environment with respect to information and data security, companies should pay close attention to any and all vulnerabilities that could result in the compromise of sensitive consumer information. This is undoubtedly one of the largest potential consumer data breaches that has occurred within the mortgage and lending industry. We will continue to monitor the extent to which this incident impacts the industry. In the meantime, other organizations should take note and seek to strengthen their security posture in an effort to avoid similar vulnerabilities and breaches.

JT Gaietto is Executive Director, Cybersecurity Services for Richey May Technology Solutions. He focuses on providing clients with critical security and regulatory compliance support, including incident response, third-party risk management, business continuity and customer and government due diligence oversight. He can be reached at jgaietto@richeymay.com.