Major US title insurer may have leaked hundreds of millions of records
First American Financial is investigating the "design defect" that gave unauthorised access to customer data
First American Financial Corporation, one of the largest US title insurers, may have allowed unauthorised access to more than 885 million records related to mortgage deals going back to 2003, according to a security researcher.
The flaw was outlined Friday in an article by Brian Krebs, a cybersecurity expert. Digitised records including “bank-account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and driver’s license images were available without authentication to anyone with a web browser,” he wrote.
In a statement, First American said that it learnt of a “design defect in one of its production applications that made possible unauthorised access to customer data” and has shut down external access.
“We are currently evaluating what effect, if any, this had on the security of customer information,” the company said. “We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorised access to our customer data.”
Title insurers like First American use their records and public documents to verify a seller is a property’s true owner and that it is free from liens. The companies collect a premium at the closing of the purchase and pay costs that may arise if someone disputes the new owner’s right to the property. That work means they regularly handle private information.
Ben Shoval, a real estate developer in Washington state, said he noticed the vulnerability after getting a link from First American earlier this week.
“I clicked on it and it sent me to a document that was for my transaction,” he said in an interview. “But when I looked at the link, I realised that if I just changed on number in it, it would show me other people’s private documents.”
Mr Shoval said he tried notifying First American but received no response. Then, he contacted Mr Krebs, who was able to confirm the vulnerability and estimate its scale.
Mr Krebs wrote in his article that he notified First American of the issue. He also noted that he didn’t have any information on whether fraudsters knew about the weakness or if any documents had been mass-harvested.
Earlier on Friday, he suggested the leak was “truly massive”. The company’s shares fell 2.2 per cent in post-market trading before rebounding.
A spokesman for First American declined to comment on the number of records potentially exposed or how long they were publicly available.
Updated: May 25, 2019 01:49 PM