TL;DR: Online security journalist Brian Kreb alerted real estate title insurance giant First American Financial Corp. that its website revealed hundreds of millions of mortgage-related documents. Customers’ personal information easily available included Social Security numbers, wire receipts, tax records, bank account statements, and even drivers’ licenses.
First American Financial Leaked Millions of Title Insurance Records
According to Krebs, the online security journalist was contacted by a real estate developer concerned First American wasn’t responding to concerns about “a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.”
First American is considered a giant in settlement and title insurance services, employing thousands and having revenues well-over $5 billion. The Fortune 500 real estate title company apparently leaked hundreds of millions of documents accrued over more than a decade and a half without knowing. Most such records have in recent years, of course, been made digital for ease of access, but evidently security was lax in the rush for convenience.
“KrebsOnSecurity confirmed the real estate developer’s findings,” Krebs explained, “which indicate that First American’s Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents.” Most of the files were recorded wire transactions (with bank account numbers), which routinely include property owner information — real estate buyers and sellers.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data,” the title company confirmed in a statement. “At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.