An estimated 885 million digitized documents from mortgage deals dating back to 2003 have been exposed by First American Financial Corp, a provider of title insurance and other services to the real estate and mortgage industries, according to a report by the KrebsOnSecurity security news site.
That exposure apparently puts at risk bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images, Krebs reported, all of which could be read without authentication by anyone with a web browser.
“On May 24th, First American learned of a design defect in one of its production applications that made possible unauthorized access to customer data,” the company wrote in a statement provided to USA TODAY. “Security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.”
The statement added that First American “took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.”
Brian Krebs, who was the author of the report, wrote that he was contacted by a Washington state real estate developer, Ben Shoval, who told him that he’d had little luck getting a response from First American about what he found, which was “that a portion of its website (firstam.com) was leaking tens if not hundreds of millions of records.”
Password security: Why it’s a good day to change your password
Credit report mistakes: How to fix them before they cost you thousands
The Krebs report says Shoval discovered that “anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.”
Krebs separately confirmed the real estate developer’s findings. The respected security researcher, formerly a Washington Post reporter, was recently the first to report another high profile data rupture when he flagged that hundreds of millions of Facebook users had their account passwords stored in plain text format that could be searched by more than 20,000 Facebook employees.
The impact of this latest exposure is potentially enormous, given the sheer volume of individuals who have ever been sent a document link via email by First American, Krebs says.
“The exposure suffered by First American underscores the need for a comprehensive approach to securing systems and networks, especially areas that house sensitive information,” says Bob Rudis, chief data scientist at the Rapid7 Labs security company.
“Firewalls, anti-malware solutions, and other security-specific controls are not sufficient to reduce unwanted exposure,” says Rudis. He adds that organizations should “think like an attacker” so they can identify areas of weakness before others do.”
Tyler Owen, director of solution engineering at another security firm, CipherCloud says First American is guilty of gross negligence. “I believe that everyone in the information security industry is becoming quite numb to these types of disclosures as they seem to be happening almost weekly. No matter the bad press and potential negative impacts to a company, organizations still are not placing enough emphasis on data security and secure processes.”
For his part, Rudis says the real victims are the consumers whose data has been exposed.
Unfortunately they have “little recourse,” he says.
“We have no information on who might have accessed this over time and further have no real information on any misuse of this data as a result of the temporal exposure,” Rudis says.
He advises consumers to monitor your credit report regularly and put a freeze on all new credit applications immediately, and use the tools provided by your financial organizations to ensure no activity is occurring without your knowledge. And listen to whatever First American has to say about the matter.
First American Financial is a financial services company that provides title insurance, homeowners insurance, home warranties, such as for appliances, and various closing and other services for lenders. The company, with nearly $6 billion in revenue and 19,000 employees, is the nation’s largest provider of title insurance, which covers a homeowner in the event of claims that challenge the validity of the property’s ownership.
Email: [email protected]; Follow @edbaig on Twitter
Contributing: Paul Davidson