A design defect in a production application used by First American Financial Corp. formed an easily accessible gateway to hundreds of millions of documents containing highly sensitive customer data to scammers, phishers and other unauthorized parties, cybersecurity expert Brian Krebs reported.
Based in Santa Ana, California, First American is a leading provider of title insurance and settlement services to the real estate and mortgage industries. The company employs about 18,000 people and reported $5.7 billion in total revenue last year.
According to Mr. Krebs’ blog, Krebs on Security, some 885 million digitized records containing bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images in First American’s computer system were accessible to anyone in the world with a web browser.
Anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link. The earliest document accessible on the website was numbered 000000075, so the next document in the sequence could be accessed by changing part of the URL to 000000076, and so on through hundreds of millions of documents. No authentication was required to view any of the documents.
According to Krebs on Security, a real estate developer discovered the security flaw after First American sent him a link to a record number containing a nine-digit number that could be used to access all the other documents on the server. The real estate developer reported it to First American but said the company failed to respond to his concerns, so he contacted Krebs on Security about the issue. Once Mr. Krebs confirmed the vulnerability, First American disabled the site that served the records.
“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business,” said Ben Shoval, the developer who alerted Krebs on Security about the vulnerability. “You give them all kinds of private information and you expect that to stay private.”
Mr. Krebs said the data exposed by First American “would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters.”
According to the FBI, BEC scams are the most costly form of cybercrime today.
While there was a clear and dangerous vulnerability in First American’s application, Krebs says he found no evidence that the accessible documents were mass harvested. He does, however, say that it’s possible that even a novice attacker could have stealthily reaped the data.
SC Magazine reports that cybercrimes have risen dramatically in the last couple of years, and a full 25% of those crimes targeted the banking and financial services industries. In 2018, investigators found nearly 15 billion identity records that had been stolen from companies were circulating on the dark web. There were also 12,000 security breaches – more than quadruple the number that occurred in 2017.
Beasley Allen lawyer Archie Grubb is looking into cases where consumers may be at risk related to the First American data breach. If you feel you might have a claim, he would like to talk with you.