The US real-estate insurance company First American Financial Corp. accidentally leaked hundreds of millions of documents. The company has more than 18,000 employees and brought in more than $5.7 billion in 2018.
Roughly 885 million insurance-related documents were leaked online, including details of wire transfers, and property records.
The documents date back to 2003 and include bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.
The news was first reported by the popular investigator Brian Krebs who was informed of the leak by the real-estate developer Ben Shoval.
“Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he’d had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records.” reads a blog post published by Brian Krebs, “He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.”
Shoval discovered that the documents were exposed online through the company website, anyone who knew the URL for one of the documents could view it, and by just by modifying a single digit in the link could view other files.
The developer shared its discovery with Krebs after attempting to notify the data leak to the company without success.
At the time of writing, First American Financial has updated its website and secured the documents.
“We are currently evaluating what effect, if any, this had on the security of customer information,” a spokesperson said. “We will have no further comment until our internal review is completed.”
The company confirmed that on May 24, 2019, it learned of a design flaw in one of its production applications that made possible unauthorized access to the huge trove of data.
It is not clear how long the documents remained exposed online, but querying the archive.org website it is possible to verify that documents were available from at least March 2017.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.” reads a statement sent by the company to Krebs. “The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment
First American Financial is still investigating the incident and hired a forensics firm to help it.