As Americans grow increasingly concerned about data privacy, there’s never a shortage of confirmation that their worries are justified. The latest is news that First American Financial Corp., a large real estate title insurance company, left exposed “hundreds of millions” of documents about mortgage deals dating back to 2003 at its public website.
Anyone with a web browser would have been able to access bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images without authentication at the site.
Security researcher Brian Krebs confirmed the exposure after responding to a tip. He believes 885 million documents were exposed in all. Anyone sent a link to one of the documents could easily access other documents by simply changing a digit in the URL, Krebs said.
Whether the documents were actually stolen remains unknown. “I do not have any information on whether this fact was known to fraudsters previously,” Krebs wrote in a blog post, “nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).
First American had shut down the website by 2 p.m. Eastern Time Friday, Krebs reports. The company also released the following statement:
“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
Based in Santa Ana, California, First American is a Fortune 500 company that brought in $5.7 billion in revenue during 2018. It employs 18,000 people.
The data breach at First American comes just days after the credit rating giant Equifax saw its own financial outlook downgraded by Moody’s as a result of its leaking of 146 million consumers’ data back in 2017. Moody’s said it’s “the first time that cyber has been a named factor in an outlook change.”