First American site bug exposed 885 million sensitive title insurance records
- Select a language for the TTS:
- UK English Female
- UK English Male
- US English Female
- US English Male
- Australian Female
- Australian Male
- Language selected: (auto detect) - EN
Play all audios:
Krebs reported that the company’s website was storing and exposing bank account numbers, statements, mortgage and tax records, Social Security numbers and driving license images in a
sequential format — so anyone who knew a valid web address for a document simply had to change the address by one digit to view other documents, he said.
There was no authentication required — such as a password or other checks — to prevent access to other documents.
According to Krebs’ report, the earliest document was labeled “000000075” — with newer documents increasing in numerical order, he said.
“Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers,” wrote Krebs. First American is one of
the largest real estate title insurance giants in the U.S., earning $5.8 billion in revenue in 2018.
On May 24, First American learned of a design defect in one of its production applications that made possible unauthorized access to customer data. Security, privacy and confidentiality are
of the highest priority and we are committed to protecting our customers’ information. Therefore, the company took immediate action to address the situation and shut down external access to
the application. We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not
been any meaningful unauthorized access to our customer data.
Although the website was down, many of the documents are still cached in search engines, security researcher John Wethington told TechCrunch. We’re not linking to the exposed data while the
data is still readable. Some 6,000 documents were still exposed following the disclosure, the spokesperson said, and the company was “taking the appropriate steps to remove the cache in
question from the search engines.”
It’s the latest breach of sensitive mortgage data in recent months.
TechCrunch exclusively reported in January a trove of more than 24 million financial and banking documents were left inadvertently exposed on a public cloud storage server for anyone to
access. The data contained loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial
life.
Updated with remarks from First American and new details about the cached data.