Real estate and title insurance firm First American Financial Corp. has apparently left over 885 million sensitive financial records of its customers unprotected on their website free for anyone to peruse or grab. These customer records range as far back as 2003. First American is a huge corporation that employs 18,000 people and it earned revenues of over $5.7 billion in 2018.
Lily Hay Newman concludes that many major business organizations still haven’t perceived the need for even the most basic of data protections in this article published in Wired:
Krebs reports that the exposed records included Social Security numbers, driver’s license images, bank account numbers and statements, mortgage and tax documents, and wire transaction receipts—an absolute treasure trove for any scammer or identity thief. An attacker who figured out the format of the company’s document URLs could have input any “record number” they wanted—beginning with “000000075,” according to Krebs—and pull up the documents associated with that customer case. First American took down the site that populated the records at 2 pm ET on Friday. Krebs notified the company of the situation earlier this week.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data,” the company said in a statement. “The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
[…]
The First American exposure is a major incident, because it underscores just how little progress many institutions have made on locking down customer data. Perfect security is impossible, but the stakes are incredibly high and many large organizations still overlook basic errors.
The good news is that exposed data does not necessarily mean stolen data. There’s a chance that no one stumbled across this trove before the company had the chance to secure it. But unlike other data leaks of similar scale, which largely involve password and username combinations, the data in the First American haul would have devastating long-term consequences for potential victims.
