The US real-estate insurance company First American Financial Corp. accidentally leaked hundreds of millions of documents. The company has more than 18,000 employees and brought in more than $5.7 billion in 2018.
Roughly 885 million insurance-related documents were leaked online, including details of wire transfers, and property records.
The documents date back to 2003 and include bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.
The news was first reported by the popular investigator Brian Krebs who was informed of the leak by the real-estate developer Ben Shoval.
“Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he’d had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records.” reads a blog post published by Brian Krebs, “He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.”
Shoval discovered that the documents were exposed online through the company website, anyone who knew the URL for one of the documents could view it, and by just by modifying a single digit in the link could view other files.
The developer shared its discovery with Krebs after attempting to notify the data leak to the company without success.
At the time of writing, First American Financial has updated its website and secured the documents.
“We are currently evaluating what effect, if any, this had on the security of customer information,” a spokesperson said. “We will have no further comment until our internal review is completed.”
The company confirmed that on May 24, 2019, it learned of a design flaw in one of its production applications that made possible unauthorized access to the huge trove of data.
It is not clear how long the documents remained exposed online, but querying the archive.org website it is possible to verify that documents were available from at least March 2017.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.” reads a statement sent by the company to Krebs. “The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment
First American Financial is still investigating the incident and hired a forensics firm to help it.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.