The website for First American Financial Corporation, a Fortune 500 real estate title insurance giant, leaked hundreds of millions of documents and records relating to mortgage deals dating back more than 15 years.
According to an article on KrebsOnSecurity.com, the digitized records, including bank account numbers and statements, Social Security numbers, driver’s license images, mortgage and tax records and wire transaction receipts, were available to pretty much anyone with a Web browser.
Open Access to Sensitive Information
Santa Ana-based First American is the leading provider of title insurance and settlement services, employing about 18,000 people and earning more than $5.7 billion in 2018. KrebsOnSecurity was reportedly contacted by a real estate developer in Washington State who said he had no luck getting the company’s attention even after he told them their website was leaking tens, if not hundreds, of millions of records.
Anyone who knew the URL for a valid document at the website could essentially view them just by modifying one digit in the link. This would potentially include anyone who has ever received a document link via email from the company.
KrebsOnSecurity has confirmed that First American’s website exposed about 885 million files without requiring any type of authentication for access. Most exposed files are wire transactions with bank account numbers and other information from home or property buyers and sellers.
As a title insurance agency, the company gathers all types of documents from both buyers and sellers, who provide this information with the expectation that it will be private and secure.
First American says the document leak happened because of a “design defect in an application.” A spokesperson told KrebsOnSecurity that the company has taken immediate action to shut down access to the application and is evaluating what impact this may have had on customer information.
If You Have Been Affected
There is no question that this is the kind of data breach that phishers, scammers, and fraudsters would have a field day with. KrebsOnSecurity says Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, and title and escrow firms to trick property owners into wiring funds to scammers, are the most costly form of cybercrime today.
If you have been a victim of scams stemming from a data breach such as this one, please take every possible step to secure your information by monitoring your bank accounts and credit cards, changing passwords on your key accounts, and sign up for a credit or identity monitoring service that will help monitor your financial accounts and sensitive personal information.
You may also be able to seek compensation for your losses by filing a class-action lawsuit against the company, which had a legal obligation to protect your personal information. An experienced Orange County class action lawyer can help you evaluate your legal rights and options.
Source: https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/