A leading mortgage settlement and title insurance company, First American Financial Corporation, left hundreds of millions of customer records accessible on the web, including personal information such as Social Security numbers, according to a report on a security blog Friday.
Though no data is known to have been taken, the scale of the security lapse was massive, putting at risk 885 millions records from an unknown numbers of customers, wrote Brian Krebs, of KrebsonSecurity, which covers breaches, hacks and online crime. Based on a tip from a real estate developer who found the vulnerability, Krebs wrote that anybody with access to a web portal for the company could have gained access to documents from other customers by altering digits in the web address.
The tactic, Krebs reported, could have allowed the theft of real estate transaction records dating back to 2003. Such records would reveal a wide range of personal information on customers, including names, bank account numbers, copies of driver’s licenses and other information submitted during the mortgage settlement process.
Krebs reported no evidence that the vulnerability had been exploited by hackers, nor was it clear how long the documents had been vulnerable to theft.
First American did not respond to a request for comment from The Washington Post. Krebs quoted a statement from First American confirming “a design defect in an application that made possible unauthorized access to customer data. . . . The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information.”
A real estate developer in Washington state, Ben Shoval, told The Post that he first detected the defect on Monday when he received a title report from First American and followed a link on the document to a public web page. By changing the document number in the site’s URL, Shoval said, he gained access to sensitive information on other First American customers.
Shoval said he reached out to several executives at First American over the next few days, but did not receive any response. On Thursday, he contacted Krebs, he said.
“I always assumed title companies keep private information locked away, not available to anyone on the Internet,” he said.
First American is one of the U.S.’s largest title companies with revenues of $5.7 billion and 18,000 employees. It’s ranked 491 on Fortune’s list of the 500 largest U.S. companies by revenue.
Bank executives have warned that the risks of Internet leaks of sensitive information have grown as consumers rely increasingly on computers and mobile phones for financial transactions.
“The threat of cyber security may very well be the biggest threat to the U.S. financial system,” Jamie Dimon, chair and chief executive of JPMorgan Chase, said in an April letter to the company’s shareholders. The bank spends nearly $600 million a year on cyber security, he said, and has more than 3,000 employees dedicated to the issue.
Details of First American’s cyber security efforts were not available Friday.