The other day I wrote about the costs Equifax is finally having to bear for its 2017 breach of 150 million consumer records. Apparently, First American Financial Corporation upon learning of the Equifax breach said, “Hold my beer.”
Over the Memorial Day weekend Brian Krebs tweeted about a “Truly massive—possibly superlative—sensitive data exposure.” That turned out to be First American’s leak of hundreds of millions of mortgage deal documents from 2003 to present. Those documents included tax returns, bank account numbers and statements, social security numbers, driver’s license images, and other sensitive information. You can read Krebs’ full article here.
Who were the master crackers behind this exploit? Well, no one. First American simply put them unsecured on the Internet. Anyone with a Web browser who knew just one URL could get access to all the records. First American is, of course, taking the breach “Very Seriously.”
Vicki Boykis has a wonderful post on the event in which she rightly ridicules the “taking it very seriously” line. It is, she says, what companies who have never given a second thought to security or safeguarding consumers’ sensitive information always say when they get caught playing fast and lose with other people’s data. She goes on to say that the real problem is that companies have no incentive to do better.
She notes that Equifax, which is only now beginning to suffer for their negligence, is still in business and none of their executives have gone to jail. There is some hope, however. She notes that the GDPR in Europe and California’s CCPA (California Consumer Privacy Act) have started to worry these companies. As I said in my previous post, until it is crystal clear that collecting and storing people’s information entails an unconditional obligation to keep that information secure and that violating that obligation carries substantial financial and criminal penalties, companies will calculate that the typical penny-ante fines meted out by the government are simply a cost of doing business and nothing will change.
I think Boykis is right. Until the consequences of slipshod handling of consumers’ information is draconian and certain, nothing will change. As for First American, if their executives had any honor they would resign and join a monastery.