Real-estate title insurer First American Financial reached a $487,616 settlement with the U.S. Securities and Exchange Commission for not maintaining cybersecurity disclosure controls and procedures that exposed sensitive customer information.

First American was notified by cybersecurity journalist Brian Krebs in May 2019 that its application for sharing document images had a vulnerability that exposed over 800 million images dating back to 2003. The images contained personal data such as Social Security numbers, financial information, and drivers’ license images.

In response, First American issued a press statement the same day they were notified of the vulnerability and provided a Form 8-K to the SEC four days later. According to the SEC, the senior executives at First American that issued the public statements “were not apprised of certain information that was relevant to their assessment of the company’s disclosure response to the vulnerability and the magnitude of the resulting risk.”

The senior executives were not informed that the company’s information security personnel had identified the vulnerability several months earlier, but had failed to remediate it.

“As a result of First American’s deficient disclosure controls, senior management was completely unaware of this vulnerability and the company’s failure to remediate it,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit. “Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures.”

Without admitting or denying the SEC’s findings, First American agreed to a cease-and-desist order and will pay a $487,616 penalty.