More Than 900 Million Financial Records Exposed

Uploaded on 2019-06-20 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Financial

After a decade of nonstop corporate data breaches and exposures, you'd think large organisations would have at least fixed the most basic and obviously damaging types of data mishandling. But there's clearly still a long way to go. 

Recently, independent security journalist Brian Krebs revealed that the real estate and title insurance giant First American had 885 million sensitive customer financial records, going back to 2003, exposed on its website for anyone to access. 

While there isn't currently evidence that anyone actually found and stole the information, it was so easy to grab—and so obviously valuable to scammers, that it's hard to rule out that possibility.

The Hack
Krebs reports that the exposed records included Social Security numbers, driver's license images, bank account numbers and statements, mortgage and tax documents, and wire transaction receipts—an absolute treasure trove for any scammer or identity thief. 

An attacker who figured out the format of the company's document URLs could have input any "record number" they wanted, beginning with "000000075," according to Krebs and pull up the documents associated with that customer case. First American took down the site that populated the records and Krebs notified the company of the situation recently.

“First American has learned of a design defect in an application that made possible unauthorised access to customer data," the company said in a statement. "The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

First American did not answer questions about how long the records were exposed online. The company says it has hired a forensic firm to assess whether customer data was ever stolen. First American, which is based in Santa Ana, California, is a Fortune 500 company with more than 18,000 employees.

Who's Affected
Well, lots of people! First American is the top title insurance firm in the United States, which means the company is often party to both the buyer and lender sides of real estate transactions across the country. And the detailed financial and personal information involved in closings potentially involves information about both buyers and sellers.
While the hope is that the data was never actually stolen, millions of people may have been impacted if it was. If you've bought or sold a house in the past several years, there's a decent chance First American had a hand in it.

How Serious Is This?
The First American exposure is a major incident, because it underscores just how little progress many institutions have made on locking down customer data. Perfect security is impossible, but the stakes are incredibly high and many large organisations still overlook basic errors.

The good news is that exposed data does not necessarily mean stolen data. There's a chance that no one stumbled across this trove before the company had the chance to secure it. But unlike other data leaks of similar scale, which largely involve password and username combinations, the data in the First American haul would have devastating long-term consequences for potential victims.

If you’re a First American customer or think you were party to a transaction that also involved the company there isn’t a lot you can do to protect yourself against the possibility that your data was stolen as a result of this exposure. But watch your bank and credit card statements for suspicious activity. Consider purchasing credit monitoring or, better yet, avail yourself of a free credit monitoring offer from another security incident your data was involved in. By this point, you've almost certainly qualified for it. You can also consider a credit freeze.

Security practitioners always hope that major security incidents, like the notorious Equifax breach, will be a wake-up call to all companies. But the consequences for such missteps are only first starting to appear. 

For example, Moody’s recently downgraded its ratings outlook for Equifax. A spokesperson said, “It’s the first time that cyber has been a named factor in an outlook change." Until other dramatic economic motivators emerge, disasters like First American, or worse, will continue.

Wired:        Krebs On Security:

You Might Also Read:

Tesco Bank Fined £16.4m For Exposing Customers:

UK Fallout From The Massive Breach At Equifax:

 

« Britain Hacks Back
DDoS Attacks Up By 84% In Q1 »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Capita

Capita

Capita is a consulting, digital services and software business, providing end-to-end enterprise IT services and solutions focused around digital transformation and innovation.

Cyber Aware

Cyber Aware

Cyber Aware aims to drive behaviour change amongst small businesses and individuals, so that they adopt simple secure online behaviours.

Total Cyber-Sec

Total Cyber-Sec

Total Cyber-Sec is a company specialized in providing Professional Information Security and Cybersecurity Services.

Pentest People

Pentest People

Pentest People are a UK-based security consultancy focussing on bringing the benefits of Pentesting as a Service (PTaaS) to all its clients.

Pipeline Security

Pipeline Security

Pipeline is a leader in cybersecurity, offering comprehensive services to protect organizations from evolving threats.

Blaze Information Security

Blaze Information Security

Blaze Information Security is a privately held, independent information security firm born from years of combined experience and international presence.

African Cyber Security

African Cyber Security

African Cyber Security and it's partners, have the expertise and skills to provide holistic solutions for companies, institutions and government.

Reflectiz

Reflectiz

Reflectiz empowers digital businesses to make all web applications safer by non-intrusively mitigating any website risks without a single line of code.

Psybersafe

Psybersafe

Psybersafe is a hands-on, behaviour-changing training system that keeps your people and your business cyber safe.

Hadrian

Hadrian

Hadrian is modernizing offensive security practices with automation, making them faster and more scalable. Equipped with the hacker’s perspective, companies can now know what their critical risks are.

SolidRun

SolidRun

SolidRun is a leading provider of computing and network technology designed to streamline the deployment of edge computing infrastructure and support embedded and IoT markets.

Amazon Web Services (AWS)

Amazon Web Services (AWS)

Amazon Web Services is the world’s most comprehensive and broadly adopted cloud platform, offering fully featured services from data centers globally.

Cyber Security Global

Cyber Security Global

Cyber Security Global is a leader in electronic security, consultancy, technology, cybersecurity solutions, training, and specialized products.

Reality Defender

Reality Defender

Reality Defender stops deepfakes before they become a problem. Our proprietary deepfake and generative content fingerprinting technology detects video, audio, and image deepfakes.

Scality

Scality

Scality storage unifies data management from edge to core to cloud. Our market-leading file and object storage software protects data on-premises and in hybrid and multi-cloud environments.

Nothreat

Nothreat

Nothreat has revolutionized how businesses like yours protect themselves from damaging cyber attacks. Our tech learns and adapts in real time, protecting clients from even zero-day attacks.