- Approximately 885 million records were leaked through a website belonging to First American.
- The company didn’t realize the problem until yesterday, while the website remained unsecured since March 2017.
- Millions of buyers and sellers risked their full financial details as well as the associated PII due to this incident.
The financial services and title insurance giant ‘First American Financial Corporation’ has spilled the milk by leaking millions of documents containing extremely sensitive data. The records date as far back as 2003 and include tax records, mortgage records, social security numbers, bank account numbers, statements, wire transaction receipts, and even scans of driver licenses. The leak occurred through a portion of the firstam.com website, allowing anyone to directly access and view any document as long as the right URL is entered. By having one valid URL and changing the digit at the end, one could locate hundreds of millions of records without the need to go through any type of authentication.
KrebsOnSecurity has received the relevant tip from a real estate developer (Ben Shoval) who discovered it and confirmed that at least 885 million files have been exposed. Having discovered records that concerned himself, Mr. Shoval tried other URLs and figured out that the documents have been registered sequentially, so one could find something more easily. The records start from number 75 which concerns a transaction made in 2003 and then reach up to 885000000 which corresponds to May 24, 2019 records.
The company finally disabled the leaking website yesterday and published the following statement about the incident: “First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy, and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
By looking into the archive.org records, it is evident that the documents were available on the site since at least March 2017, so this was not exactly a timely response from First American. Now, it is hard to say whether these records were previously accessed by malicious actors or not, but the fact that they remained accessible for such an extensive period of time isn’t leaving much margin for hopeful thinking. The information that was contained in these documents would be relished by scammers of all kinds, especially BEC (Business Email Compromise) actors. That said, the ultimate irresponsibility of yet another Fortune 500 company is once again highlighting the dangers of trusting companies who choose not to invest even a minuscule percentage of their massive profits to data security.