A security expert says up to 885 million files were exposed due to a security flaw on the title insurance giant’s website
A cybersecurity leak at title insurance giant First American Financial Corp. exposed hundreds of millions of mortgage documents dating back to 2003, according to an information security expert.
Brian Krebs, who runs the security news website KrebsOnSecurity.com, wrote that he was contacted last week by a Washington state real estate developer who said that First American’s website was leaking mortgage records.
“He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link,” Krebs wrote.
KrebsOnSecurity confirmed the report. According to Krebs, First American’s website exposed about 885 million files. Many of the exposed files were records of wire transactions that included homebuyers’ and sellers’ bank account numbers and other information, according to Krebs.
“No authentication was required to read the documents,” Krebs wrote.
“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, driver’s licenses, account statements, and even internal corporate documents if you’re a small business,” Ben Shoval, the developer who notified Krebs of the exposure, told Krebs. “You give them all kinds of private information and you expect that to stay private.”
First American patched the leak when Krebs notified the company.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data,” the company said in a statement provided to KrebsOnSecurity. “At First American, security, privacy, and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this has had on the security of customer information.”
The company said that it would not comment further until the completion of an internal review.
Krebs stressed that while the mortgage documents were available on the First American website, it was not known whether that information was previously known to fraudsters. Krebs said he had no information to suggest that the data was somehow mass-harvested.
“Nevertheless, the information exposed by First American would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters,” Krebs wrote.
