More Than 900 Million Financial Records Exposed

Uploaded on 2019-06-20 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Financial

After a decade of nonstop corporate data breaches and exposures, you'd think large organisations would have at least fixed the most basic and obviously damaging types of data mishandling. But there's clearly still a long way to go. 

Recently, independent security journalist Brian Krebs revealed that the real estate and title insurance giant First American had 885 million sensitive customer financial records, going back to 2003, exposed on its website for anyone to access. 

While there isn't currently evidence that anyone actually found and stole the information, it was so easy to grab—and so obviously valuable to scammers, that it's hard to rule out that possibility.

The Hack
Krebs reports that the exposed records included Social Security numbers, driver's license images, bank account numbers and statements, mortgage and tax documents, and wire transaction receipts—an absolute treasure trove for any scammer or identity thief. 

An attacker who figured out the format of the company's document URLs could have input any "record number" they wanted, beginning with "000000075," according to Krebs and pull up the documents associated with that customer case. First American took down the site that populated the records and Krebs notified the company of the situation recently.

“First American has learned of a design defect in an application that made possible unauthorised access to customer data," the company said in a statement. "The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

First American did not answer questions about how long the records were exposed online. The company says it has hired a forensic firm to assess whether customer data was ever stolen. First American, which is based in Santa Ana, California, is a Fortune 500 company with more than 18,000 employees.

Who's Affected
Well, lots of people! First American is the top title insurance firm in the United States, which means the company is often party to both the buyer and lender sides of real estate transactions across the country. And the detailed financial and personal information involved in closings potentially involves information about both buyers and sellers.
While the hope is that the data was never actually stolen, millions of people may have been impacted if it was. If you've bought or sold a house in the past several years, there's a decent chance First American had a hand in it.

How Serious Is This?
The First American exposure is a major incident, because it underscores just how little progress many institutions have made on locking down customer data. Perfect security is impossible, but the stakes are incredibly high and many large organisations still overlook basic errors.

The good news is that exposed data does not necessarily mean stolen data. There's a chance that no one stumbled across this trove before the company had the chance to secure it. But unlike other data leaks of similar scale, which largely involve password and username combinations, the data in the First American haul would have devastating long-term consequences for potential victims.

If you’re a First American customer or think you were party to a transaction that also involved the company there isn’t a lot you can do to protect yourself against the possibility that your data was stolen as a result of this exposure. But watch your bank and credit card statements for suspicious activity. Consider purchasing credit monitoring or, better yet, avail yourself of a free credit monitoring offer from another security incident your data was involved in. By this point, you've almost certainly qualified for it. You can also consider a credit freeze.

Security practitioners always hope that major security incidents, like the notorious Equifax breach, will be a wake-up call to all companies. But the consequences for such missteps are only first starting to appear. 

For example, Moody’s recently downgraded its ratings outlook for Equifax. A spokesperson said, “It’s the first time that cyber has been a named factor in an outlook change." Until other dramatic economic motivators emerge, disasters like First American, or worse, will continue.

Wired:        Krebs On Security:

You Might Also Read:

Tesco Bank Fined £16.4m For Exposing Customers:

UK Fallout From The Massive Breach At Equifax:

 

« Britain Hacks Back
DDoS Attacks Up By 84% In Q1 »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Leviathan Security Group

Leviathan Security Group

Leviathan provides a broad set of information security services ranging from low-level technical engineering to strategic business consulting.

maCERT

maCERT

maCERT is the national Computer Emergency Response Team for Morocco.

Beame.io

Beame.io

Beame.io is an information security company that distributes open source authentication infrastructure based on encryption.

BlueFiles

BlueFiles

BlueFiles enables users to send encrypted files securely while maintaining full control over recipients, access periods, downloads, and printing.

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling and Data Destruction protect the environment and your data with proven and trusted electronics recycling and data destruction services.

Blueskytec (BST)

Blueskytec (BST)

Blueskytec has applied its experience of over three decades of working in the field of embedded systems and encryption to provide a scalable and appropriate technology for cyber-physical devices.

swIDCH

swIDCH

swIDch is a technology company that aims to eliminate CNP (card not present) Fraud.

IntelligInts

IntelligInts

IntelligInts provide 24×7 threat monitoring, hunting, alerting, and mitigation in our world class Security Operations Center.

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange is a new initiative dedicated to advancing effective and innovative public policy in cybersecurity and digital privacy.

SecureNation

SecureNation

SecureNation offers a wide variety of cutting-edge technologies and IT services to address almost any of your information security, network security and information assurance needs.

Stealth Software Technologies

Stealth Software Technologies

Stealth Software Technologies is focused on the generation of research and software products focused on applied cryptography and cybersecurity.

ArmorPoint

ArmorPoint

ArmorPoint redefines the traditional approach to cybersecurity by combining network operations, security operations, and SIEM technology in one platform.

Bleach Cyber

Bleach Cyber

Bleach Cyber helps small businesses with an affordable and user-friendly solution for managing cloud security.

Clarity

Clarity

Clarity is an AI cybersecurity startup that protects against deepfakes and new social engineering and phishing attack vectors accelerated by the rapid adoption of Generative AI.

SecureFlag

SecureFlag

SecureFlag is dedicated to enhancing secure coding across all technical profiles within the Software Development Lifecycle.

Kali Linux

Kali Linux

Kali Linux is an open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing.