SEC to Investigate First American 885 Million Record Data Leak Drew Wilson | August 22, 2019 The US Securities and Exchange Commission (SEC) said that it is investigating the First American data leak. The leak exposed a stunning 885 million files. Back in June, we reported on the First American data leak. That leak saw an eye popping 885 million files become exposed to the public. The leak itself saw files dating as far back as 2003 being available to anyone who wanted to see. Pieces of information exposed included social security numbers, bank account numbers, tax records, and a whole lot more. All it took to access the files is to change characters in a URL. If that record happened to be valid, you were in. No authentication was required to access the file whatsoever. Now, it seems that the US government is responding. According to KrebsOnSecurity, the SEC is saying that they are investigating. The letter in question is dated August 7th. They are requesting documents to be handed over voluntarily by August 21st (which is yesterday at this point). The Commission also says that the inquiry does not mean that there has been a violation of the law and is non-public. More from the report: The initial tip on that story came from Ben Shoval, a real estate developer based in Seattle. Shoval said he recently received a letter from the SEC’s enforcement division which stated the agency was investigating the data exposure to determine if First American had violated federal securities laws. In its letter, the SEC asked Shoval to preserve and share any documents or evidence he had related to the data exposure. “This investigation is a non-public, fact-finding inquiry,” the letter explained. “The investigation does not mean that we have concluded that anyone has violated the law.” The SEC declined to comment for this story. Word of the SEC investigation comes weeks after regulators in New York said they were investigating the company in what could turn out to be the first test of the state’s strict new cybersecurity regulation, which requires financial companies to periodically audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful. First American also is now the target of a class action lawsuit that alleges it “failed to implement even rudimentary security measures.” If anything, this story is proving to not be a flash in the pan one headline story. At the very least, it has grown legs. Whether or not it continues to grow is another story entirely. While developments do appear to be generally slow, this story is far from dead. We’ll continue to be on the lookout for any developments this story might have. Drew Wilson on Twitter: @icecube85 and Facebook.