On June 10, 2019, cpomagazine.com reported that “First American, the largest real estate title insurance company in the United States, just won a particularly awful silver medal. An ongoing data leak at the company appears to have exposed the transaction records of about 900 million customers, which would make it the second-largest data breach in history behind the 3 billion accounts that were impacted by the Yahoo! hack of 2013.”
Cpomagazine.com reported that
Brian Krebs of KrebsOnSecurity broke the story, reporting that the documents involve mortgage deals and date back 16 years to 2003. Krebs reports that the leaked documents include bank account numbers and transaction records, Social Security numbers, driver’s license images, tax records and more. The leaked documents are a treasure trove for cyber criminals in terms of both personal identity theft and business email compromise attacks.
The worst part of all this is that this devastating leak wasn’t the result of a phishing scam, or even an insecure Amazon bucket. First American appears to have failed to secure unique URLs to these documents properly, using a sequential system and allowing anyone to access customers information simply by entering the right URL into a web browser.
Additionally, cpomagazine.com reported that
[t]he First American data leak is likely to have a long reach and cause a lot of pain. Millions of Americans may now have their most sensitive personal financial details available on the dark web; the company also has clients in Canada and Europe that may have been exposed. First American has retained an outside security firm to determine the extent of the data leak access, but it will likely be difficult given that exfiltration was as simple as knowing the correct master URL. [Emphasis added.]
First American stated in a recent SEC Form 8-K filing that “First American Financial Corporation advises that it shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data. The company is working diligently to address the defect and restore external access.”
A state regulator is, reportedly, investigating First American’s security vulnerability.