First american site bug exposed 885 million sensitive title insurance records | techcrunch

News just in from security reporter Brian Krebs: Fortune 500 real estate insurance giant First American exposed approximately 885 million sensitive records because of a bug in its website.

Krebs reported that the company’s website was storing and exposing bank account numbers, statements, mortgage and tax records, Social Security numbers and driving license images in a

sequential format — so anyone who knew a valid web address for a document simply had to change the address by one digit to view other documents, he said. There was no authentication required

— such as a password or other checks — to prevent access to other documents. According to Krebs’ report, the earliest document was labeled “000000075” — with newer documents increasing in

numerical order, he said. The data goes back at least to 2003, said Krebs. “Many of the exposed files are records of wire transactions with bank account numbers and other information from

home or property buyers and sellers,” wrote Krebs. First American is one of the largest real estate title insurance giants in the U.S., earning $5.8 billion in revenue in 2018. First

American spokesperson Marcus Ginnaty told TechCrunch: > On May 24, First American learned of a design defect in one of its > production applications that made possible unauthorized 

access to > customer data. Security, privacy and confidentiality are of the > highest priority and we are committed to protecting our customers’ > information. Therefore, the 

company took immediate action to address > the situation and shut down external access to the application. We > are currently evaluating what effect, if any, this had on the > 

security of customer information. We have hired an outside forensic > firm to assure us that there has not been any meaningful > unauthorized access to our customer data. Although the

website was down, many of the documents are still cached in search engines, security researcher John Wethington told TechCrunch. We’re not linking to the exposed data while the data is still

readable. Some 6,000 documents were still exposed following the disclosure, the spokesperson said, and the company was “taking the appropriate steps to remove the cache in question from the

search engines.” It’s the latest breach of sensitive mortgage data in recent months. TechCrunch exclusively reported in January a trove of more than 24 million financial and banking

documents were left inadvertently exposed on a public cloud storage server for anyone to access. The data contained loan and mortgage agreements, repayment schedules and other highly

sensitive financial and tax documents that reveal an intimate insight into a person’s financial life. _Updated with remarks from First American and new details about the cached data. _ > 

Millions of bank loan and mortgage documents have leaked online