885 million first US financial records exposed online

After a solid decade of uninterrupted corporate data breaches and exposures, you would think that large organizations would have at least corrected the most basic and damaging types of data mismanagement. But there is clearly still a long way to go. On Friday, freelance security reporter Brian Krebs revealed that real estate and title insurance giant First American had 885 million sensitive client financial records, dating back to 2003, exposed on its website for anyone to see. to access. And while there’s currently no evidence that anyone actually found and stole the information, it was so easy to grasp – and so obviously valuable to the scammers – that it’s hard to rule out the possibility.


Krebs reports that the exposed documents included social security numbers, images of driver’s licenses, bank account numbers and statements, mortgage and tax documents and electronic transaction receipts – an absolute treasure trove for any scammer or thief. ‘identify. An attacker who figured out the format of the company’s document URLs could have entered any “registration number” he wanted – starting with “000000075”, according to Krebs – and extracted the documents associated with this case customer. The first American took down the site that filled in the records at 2 p.m. ET on Friday. Krebs informed the company of the situation earlier this week.

“First American has become aware of a design flaw in an application that has enabled unauthorized access to customer data,” the company said in a statement. “The company took immediate action to remedy the situation and closed external access to the application. We are currently evaluating what effect, if any, this has had on the security of customer information. We will not no further comment until our internal review is complete.

First American did not respond to questions from WIRED about how long the recordings were exposed online. The company says it has hired a forensic company to assess whether customer data has ever been stolen. First American, based in Santa Ana, Calif., is a Fortune 500 company with more than 18,000 employees.

Who is concerned

Well, lots of people! First American is the premier title insurance company in the United States, which means the company is often involved on both the buyer’s side and the lender’s side of real estate transactions across the country. And the detailed financial and personal information involved in closings potentially involves information about buyers and sellers.

Although it is hoped the data was never stolen, millions of people could have been affected if it was. If you’ve bought or sold a home in the past few years, chances are First American has been involved.

How serious is it?

First American’s exposure is a major incident, as it highlights how little progress many institutions have made in locking down customer data. Perfect security is impossible, but the stakes are incredibly high and many large organizations still overlook basic mistakes.

The good news is that exposed data does not necessarily mean stolen data. It’s possible no one stumbled upon this treasure before the company had a chance to secure it. But unlike other data leaks of a similar scale, which largely involve password and username combinations, the data from the first US transport would have devastating long-term consequences for potential victims. .

If you are a First American customer or believe you have been involved in a transaction that also involves the company, there is little you can do to protect yourself against the possibility that your data may have been stolen as a result of this exposure. But monitor your bank and credit card statements for suspicious activity. Consider purchasing credit monitoring or, better yet, take advantage of a free credit monitoring offer from another security incident in which your data was involved. At this point, you are almost certainly qualified for it. You can also consider a credit freeze.

Security practitioners always hope that major security incidents, like the infamous Equifax breach, will be a wake-up call for all businesses. But the consequences of such missteps are only beginning to appear. On Wednesday, for example, Moody’s lowered its rating outlook for Equifax. A spokesperson said: “This is the first time cyber has been a named factor in a shift in perspective. Until other dramatic economic motivations emerge, disasters like First American, or worse, will continue.

More Great WIRED Stories

Comments are closed.