An estimated 885 million digitized documents from mortgage deals dating back to 2003 have been exposed by First American Financial Corp, a provider of title insurance and other services to the real estate and mortgage industries, according to a report by the KrebsOnSecurity security news site.
That exposure apparently puts at risk bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images, Krebs reported, all of which could be read without authentication by anyone with a Web browser.
USA TODAY has reached out to First American Financial and to Krebs for comment.
Brian Krebs, who was the author of the report, wrote that he was contacted by a Washington state real estate developer, Ben Shoval, who told him that he’d had little luck getting a response from First American about what he found, which was “that a portion of its web site (firstam.com) was leaking tens if not hundreds of millions of records.”
The Krebs report says Shoval discovered that “anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.”
Krebs separately confirmed the real estate developer’s findings. The respected security researcher, formerly a Washington Post reporter, was recently the first to report another high profile data rupture when he flagged that hundreds of millions of Facebook users had their account passwords stored in plain text format that could be searched by more than 20,000 Facebook employees.
The impact of the exposure is potentially enormous, given the sheer volume of individuals who have ever been sent a document link via email by First American, Krebs says.
“The exposure suffered by First American underscores the need for a comprehensive approach to securing systems and networks, especially areas that house sensitive information,” says Bob Rudis, chief data scientist at the Rapid7 Labs security company.
“Firewalls, anti-malware solutions, and other security-specific controls are not sufficient to reduce unwanted exposure,” says Rudis. He adds that organizations should “think like an attacker” so they can identify areas of weakness before others do.”
Rudis says the real victims here are consumers whose data has been exposed.
Unfortunately they have “little recourse,” he says.
“We have no information on who might have accessed this over time and further have no real information on any misuse of this data as a result of the temporal exposure,” Rudis says.
He advises consumers to monitor your credit report regularly and put a freeze on all new credit applications immediately, and use the tools provided by your financial organizations to ensure no activity is occurring without your knowledge. And listen to whatever First American has to say about the matter.
First American Financial is a financial services company that provides title insurance, homeowners insurance, home warranties, such as for appliances, and various closing and other services for lenders. The company, with nearly $6 billion in revenue and 19,000 employees, is the nation’s largest provider of title insurance, which covers a homeowner in the event of claims that challenge the validity of the property’s ownership.
Story is developing
Email: email@example.com; Follow @edbaig on Twitter
Read or Share this story: https://www.usatoday.com/story/tech/2019/05/24/first-american-financial-may-have-exposed-personal-data-in-mortgages/1228113001/