More Than 900 Million Financial Records Exposed

After a decade of nonstop corporate data breaches and exposures, you'd think large organisations would have at least fixed the most basic and obviously damaging types of data mishandling. But there's clearly still a long way to go. 

Recently, independent security journalist Brian Krebs revealed that the real estate and title insurance giant First American had 885 million sensitive customer financial records, going back to 2003, exposed on its website for anyone to access. 

While there isn't currently evidence that anyone actually found and stole the information, it was so easy to grab—and so obviously valuable to scammers, that it's hard to rule out that possibility.

The Hack
Krebs reports that the exposed records included Social Security numbers, driver's license images, bank account numbers and statements, mortgage and tax documents, and wire transaction receipts—an absolute treasure trove for any scammer or identity thief. 

An attacker who figured out the format of the company's document URLs could have input any "record number" they wanted, beginning with "000000075," according to Krebs and pull up the documents associated with that customer case. First American took down the site that populated the records and Krebs notified the company of the situation recently.

“First American has learned of a design defect in an application that made possible unauthorised access to customer data," the company said in a statement. "The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

First American did not answer questions about how long the records were exposed online. The company says it has hired a forensic firm to assess whether customer data was ever stolen. First American, which is based in Santa Ana, California, is a Fortune 500 company with more than 18,000 employees.

Who's Affected
Well, lots of people! First American is the top title insurance firm in the United States, which means the company is often party to both the buyer and lender sides of real estate transactions across the country. And the detailed financial and personal information involved in closings potentially involves information about both buyers and sellers.
While the hope is that the data was never actually stolen, millions of people may have been impacted if it was. If you've bought or sold a house in the past several years, there's a decent chance First American had a hand in it.

How Serious Is This?
The First American exposure is a major incident, because it underscores just how little progress many institutions have made on locking down customer data. Perfect security is impossible, but the stakes are incredibly high and many large organisations still overlook basic errors.

The good news is that exposed data does not necessarily mean stolen data. There's a chance that no one stumbled across this trove before the company had the chance to secure it. But unlike other data leaks of similar scale, which largely involve password and username combinations, the data in the First American haul would have devastating long-term consequences for potential victims.

If you’re a First American customer or think you were party to a transaction that also involved the company there isn’t a lot you can do to protect yourself against the possibility that your data was stolen as a result of this exposure. But watch your bank and credit card statements for suspicious activity. Consider purchasing credit monitoring or, better yet, avail yourself of a free credit monitoring offer from another security incident your data was involved in. By this point, you've almost certainly qualified for it. You can also consider a credit freeze.

Security practitioners always hope that major security incidents, like the notorious Equifax breach, will be a wake-up call to all companies. But the consequences for such missteps are only first starting to appear. 

For example, Moody’s recently downgraded its ratings outlook for Equifax. A spokesperson said, “It’s the first time that cyber has been a named factor in an outlook change." Until other dramatic economic motivators emerge, disasters like First American, or worse, will continue.

Wired:        Krebs On Security:

You Might Also Read:

Tesco Bank Fined £16.4m For Exposing Customers:

UK Fallout From The Massive Breach At Equifax:

 

« Britain Hacks Back
DDoS Attacks Up By 84% In Q1 »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

StratoKey

StratoKey

StratoKey is an intelligent Cloud Access Security Broker (CASB) that secures your cloud and SaaS applications against data breaches, so you can do secure and compliant business in the cloud.

CANVAS Consortium

CANVAS Consortium

The CANVAS Consortium aims to unify technology developers with legal and ethical scholar and social scientists to approach the challenges of cybersecurity.

The Security Awareness Company (SAC)

The Security Awareness Company (SAC)

The Security Awareness Company provides cyber security awareness training programs for companies of all sizes.

ThreatBook

ThreatBook

ThreatBook is dedicated to providing real-time, accurate and actionable threat intelligence to block, detect and prevent attacks.

Reposify

Reposify

Reposify’s cybersecurity solution identifies, manages and defends companies’ global digital footprints.

Bavarian IT Security Cluster

Bavarian IT Security Cluster

The Bavarian IT Security Cluster works to build regional IT security competencies and increase the competitiveness and market opportunities of its member companies.

Arsenal Recon

Arsenal Recon

Arsenal Recon are digital forensics experts, providing consultancy services and powerful software tools to improve the analysis of electronic evidence.

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC)

Bangladesh Computer Council (BCC) is a government body providing support for ICT related activities including formulating national ICT strategy and policy.

Safe Security

Safe Security

Safe Security (formerly Lucideus) provides Cyber risk assessment services and platforms to multiple Fortune 500 companies and governments across the globe.

GuardSI

GuardSI

GuardSI was created to protect companies from growing threats to security such as fraud, hacking, internal theft, accidents and human mistakes that can directly affect the business.

Outsource UK

Outsource UK

Outsource UK is an independent recruitment company supplying highly-skilled technology, change and engineering talent to clients within a range of specialist sectors including Cyber Security.

QNu Labs

QNu Labs

QNu Labs’s quantum-safe cryptography products and solutions assure unconditional security of critical data on the internet and cloud across all industry verticals, globally.

Alea Consulting

Alea Consulting

Alea Consulting is a global risk mitigation and investigative consulting firm, which helps organizations reduce reputation and operational concerns.

Vana Solutions

Vana Solutions

Vana Solutions is an Information Technology Services company. We help commercial & federal organizations select, adapt, and integrate the right technology solution so you can move faster.

Skylark

Skylark

Skylark is a leading global IT services provider, transforming client’s businesses through innovative and advanced technology solutions.

Lumos

Lumos

Lumos, the Unified Access Platform to manage all access to apps and data.