Approximately 885 million digital documents have been exposed from mortgage deals that date back to 2003. First American Financial Corp is a provider of title insurance, as well as other services for the mortgage and real estate industries, and it allowed millions of records to be exposed according to one report.
The exposure is likely to put a variety of bank account statements and account numbers at risk, as well as Social Security numbers, tax records, wire transaction receipts, mortgage records, and driver’s license images. All of this information could be read through a web browser without getting authentication from anyone.
First American Financial Corp first learned of its designed defect on May 24 when one of the production applications made it possible for people to gain unauthorized access of its customer data. This information was provided to USA TODAY by the company in a written statement. It also said that privacy, security, and confidentiality are the top priorities for the company, and it is committed to protecting the information of its customers.
The statement also added that First American Financial Corp took action immediately to address the full situation and shut down the external access option for the application. It is currently evaluating the effects of the situation and if any issues were relating to customer information security. It also mentions that it hired an outsourced and unbiased forensic firm to ensure that there has been no unauthorized and meaningful access to its customer data.
Brian Krebs wrote the report and claims that he was contacted by Ben Shoval, a Washington state real estate professional, who said that he’d had no luck getting any response from the company about what he found out, which was that portions of its website had leaked hundreds of millions of customer records.
The initial report by Krebs claimed that Shoval learned that anyone that knew the URL for any valid document on the website could also view other documents by just modifying one or two digits in the link. Krebs then chose to confirm the findings of the real estate developer. He used to be a reporter for the Washington Post and was the first to report about another high-profile data breach because he determined that millions and millions of Facebook users had account passwords that were stored in plain-text format, which could be searched by over 20,000 Facebook employees.
Regardless of past reports, Kreb claims that this exposure issue is one of the worst he has seen because there are just so many individuals involved. Anyone who has ever gotten a document link by First American Financial Corp via email is likely to be a victim in this breach.
The chief data scientist from Rapid7 Labs, Bob Rudis, claims that this exposure is severe for First American, but it also highlights the need for a more comprehensive approach to securing the network and systems, especially for areas that house highly sensitive information.
He also says that anti-malware products, firewalls, and other security controls aren’t enough to reduce that unwanted exposure. Organizations need to think like a cyber-attacker to help them identify any areas of weakness before cybercriminals do it themselves.
The Director of Solution Engineering at CipherCloud, Tyler Owen, says that there has been a gross negligence by First American Financial Corp. He believes that everyone in the info security industry has become numb to these breaches and disclosures because they happen more and more frequently (about once a week). Regardless of the negative impacts and bad press for the company, organizations just aren’t putting enough emphasis on secure processes and data security.
The victims here are primarily the people who have had their data exposed because they have little to no recourse available to them.
The problem is that there is no information about who accessed the files over time, and no one has any concrete information about the misuse of the data because of the temporal exposure. It’s almost impossible to determine who leaked the information, who had access to it, who accessed it, and what they did with that ill-gotten information. If it were to, say, end up being sold on the dark web market, it might generate a lead, but nothing has surfaced so far.
If you believe you were part of the data breach, you should monitor your credit report and look for signs that someone has used your credit card without your permission. You can also freeze your credit report so that no new credit applications can be opened. Your financial organization is likely to have tools available to help you; utilize those tools to ensure that there is no activity on your accounts without your knowledge. It’s also helpful to listen for whatever information First American provides about the matter. That way, you’re well aware of something going amiss and can talk to the right people to seek restitution.
Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.