The U.S. Securities and Exchange Commission has launched a investigation into a data breach on the website of First American Financial Corp. that exposed 885 million personal and financial records dating back to 2003.

The news today came from security researcher Brian Krebs who first reported the data breach in May. The data breach related to how documents stored by First American on their website could be accessed.

Using a link generated by a search, anyone could change the number in the search to bring up other documents, all of which were not secured. The exposed data included bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, Social Security numbers and photos of driver’s licenses.

The SEC has not publicly confirmed the investigation, but Krebs posted part of a letter sent Aug. 7 by the SEC to Benjamin Shoval, a real estate developer in Seattle. The letter states that the commission is conducting an investigation into First American “to determine if violations of the federal securities laws have occurred.”

New York State regulators were also reported to be investigating the data breach in May under the state’s Department of Financial Services Cybersecurity Regulation, which imposes cybersecurity requirements on financial institutions.

Although it secured the data once the breach was brought to its attention, First American has downplayed its severity from the beginning. It first claimed that the records of only 14 customers had been stolen before later revising the figure to 32.

“First American is a mortgage insurance company, so it’s likely that they don’t see themselves as  technology vendor,” Matt Rose, global director of application security strategy at application security firm Checkmarx Ltd., told SiliconANGLE. “Any company that processes personally identifying information data is a technology company in today’s world, meaning they must put security and responsible disclosure programs in place to both prevent these types of data exposure hacks and effectively and efficiently communicate them to the appropriate parties.”

Chetan Conikee, co-founder and chief technology officer at ShiftLeft Inc., noted that the news shines a spotlight on a category of vulnerabilities called business logic flaws.

“Companies should draw lessons from the incident by spending the time to thoroughly audit of all the channels that access sensitive data and ensure that all of them meet policy requirements,” Conikee explained. “For example, if First American had been able to apply authentication policy checks for every release, this business logic vulnerability could have been caught in development, before making it to production.”

Photo: firstam/Flickr