The U.S. Securities and Exchange Commission (SEC) is currently investigating California-based real estate title insurance company First American, according to a report from security researcher Brian Krebs.
In May, Washington real estate developer Ben Shoval alerted Krebs to the fact that roughly 885 million personal and mortgage-related records held by the company could have been exposed. Shoval said he had discovered a security loophole after visiting a link to his own documents.
Now, the SEC has asked Shoval to provide documentation related to the data leak by August 21. The agency’s enforcement division is seeking to determine if First American violated federal securities laws.
“This investigation is a non-public, fact-finding inquiry,” the SEC said in the letter. “The investigation does not mean that we have concluded that anyone has violated the law.”
Facing legal action
After being made aware of the security issue, First American said it investigated the matter and ultimately identified just 32 consumers whose personal information was accessed without authorization.
“These 32 consumers have been notified and offered complimentary credit monitoring services,” the company said in July.
First American is already being investigated by New York’s Department of Financial Services, which recently implemented a new cybersecurity rule that requires financial firms to periodically audit and disclose how they protect sensitive user data. A class action lawsuit alleges that First American “failed to implement even rudimentary security measures.”