On May 30, 2019, williamsonsource.com reported that “First American Financial Corp.’s website was unknowingly exposing up to 885 million files related to real estate title insurance records dating from 2003 to 2019.” Further, reportedly, “[a]nyone with a URL for a valid document could view other documents by modifying a single digit in the URL. Viewing another document did not require authentication.”
According to williamsonsource.com, the data exposed by the website consisted of Social Security numbers, driver’s license images, wire transaction receipts, bank account numbers and statements, and mortgage and tax records.
The difference between a data exposure or data leak and a data breach, according to williamsonsource.com is that “[i]n a breach, unauthorized access to sensitive information is intentional. In a data exposure like this one, the sensitive information is left out in the open, often because improper security measures were used.”
As previously reported, New York’s Department of Financial Services is investigating the security vulnerability, and, recently, a class action complaint was filed in United States District Court, Central District of California, against First American Financial Corporation and First American Title Company (collectively, “First American”) alleging, among other things, that First American, “[d]espite explicitly promising customers robust data security as part of the high cost of services, . . . allowed anyone to access the sensitive files of millions of customers.”