First American Financial Corp. Leaked 885 Million Sensitive Title Insurance Records (krebsonsecurity.com) 51
An anonymous reader quotes a report from Krebs on Security: The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records -- including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images -- were available without authentication to anyone with a Web browser.
Santa Ana, Calif.-based First American is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in more than $5.7 billion in 2018. Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he'd had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link. And this would potentially include anyone who's ever been sent a document link via email by First American. KrebsOnSecurity confirmed the real estate developer's findings, which indicate that First American's Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents. "As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings," Krebs adds. "By 2 p.m. ET Friday, the company had disabled the site that served the records. It's not yet clear how long the site remained in its promiscuous state."
A spokesperson for the company issued the following statement: "First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers' information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed."
Santa Ana, Calif.-based First American is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in more than $5.7 billion in 2018. Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he'd had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link. And this would potentially include anyone who's ever been sent a document link via email by First American. KrebsOnSecurity confirmed the real estate developer's findings, which indicate that First American's Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents. "As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings," Krebs adds. "By 2 p.m. ET Friday, the company had disabled the site that served the records. It's not yet clear how long the site remained in its promiscuous state."
A spokesperson for the company issued the following statement: "First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers' information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed."
Wow, who needs backdoors? (Score:1)
Who needs backdoors, pointer calculation errors, heap corruption, stack smashing, SQL injection, or security bugs when the app developers let anybody just walk right in through the front door? Wow, just, wow...
No, you don't. (Score:5, Insightful)
At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers' information.
Companies need to STFU with the doublespeak when this happens. No, you clearly do NOT take the "security, privacy and confidentiality" of your customers seriously nor are you "committed to protecting their information".
War is peace. Ignorance is strength. No, just stop it already. I might even have a shred of respect if they came out and said, "Yeah, we really fucked this up bad. We have fired everyone who had anything to do with any decision which led to this, up to and including the CEO and top levels of management. We screwed up and we know it."
We need to start seeing the corporate death penalty for these things. It's the only way companies will ever "take your privacy and security seriously". If the job of every person IN that company is on the line.
We've had enough.
They think they're Jedi knights... (Score:1)
With just the right amount of hand waving and BS'ing, we can make this problem simply disappear from the world's weak minded souls.
Great, just great (Score:3)
Another one of these screwups that probably includes my data. That's just swell.
Re: (Score:2)
And the exciting part is that the bad guys know what data of yours they got, and First Financial may or may not know what the bad guys got (but can probably guess), but nobody will tell YOU.
Re: (Score:3, Interesting)
This is not a "screwup". It was a sale, in the form of a "leak". What do they do? Pay the security to leave the door unlocked? It's better to pay a small fine for "lax security" than to go to jail for selling the data.
Blah Blah Blah (Score:3, Insightful)
At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers' information.
No, profit is your highest priority. Noobs
The old refrain (Score:5, Insightful)
"At <whatever company that had a huge security lapse>, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers' information... blah blah blah"
When the fuck are governments gonna stop protecting/rewarding these idiots and finally fine them enough to put them out of business completely???
Re: (Score:1)
When the fuck are governments gonna stop protecting/rewarding these idiots and finally fine them enough to put them out of business completely???
That, will be up to us. If we want a clean government, we have to clean it ourselves.
They can find out exactly what was read (Score:2)
This is a simple web server "access". No system penetration, so the logs should be intact.
Se which docs were accessed and inform those individuals what was disclosed. Give the company some time to figure this out, say 48 hours. Make them liable for all damages both direct, indirect, and perceived.
Fubar (Score:2)