More Than 900 Million Financial Records Exposed

Uploaded on 2019-06-20 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Financial

After a decade of nonstop corporate data breaches and exposures, you'd think large organisations would have at least fixed the most basic and obviously damaging types of data mishandling. But there's clearly still a long way to go. 

Recently, independent security journalist Brian Krebs revealed that the real estate and title insurance giant First American had 885 million sensitive customer financial records, going back to 2003, exposed on its website for anyone to access. 

While there isn't currently evidence that anyone actually found and stole the information, it was so easy to grab—and so obviously valuable to scammers, that it's hard to rule out that possibility.

The Hack
Krebs reports that the exposed records included Social Security numbers, driver's license images, bank account numbers and statements, mortgage and tax documents, and wire transaction receipts—an absolute treasure trove for any scammer or identity thief. 

An attacker who figured out the format of the company's document URLs could have input any "record number" they wanted, beginning with "000000075," according to Krebs and pull up the documents associated with that customer case. First American took down the site that populated the records and Krebs notified the company of the situation recently.

“First American has learned of a design defect in an application that made possible unauthorised access to customer data," the company said in a statement. "The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

First American did not answer questions about how long the records were exposed online. The company says it has hired a forensic firm to assess whether customer data was ever stolen. First American, which is based in Santa Ana, California, is a Fortune 500 company with more than 18,000 employees.

Who's Affected
Well, lots of people! First American is the top title insurance firm in the United States, which means the company is often party to both the buyer and lender sides of real estate transactions across the country. And the detailed financial and personal information involved in closings potentially involves information about both buyers and sellers.
While the hope is that the data was never actually stolen, millions of people may have been impacted if it was. If you've bought or sold a house in the past several years, there's a decent chance First American had a hand in it.

How Serious Is This?
The First American exposure is a major incident, because it underscores just how little progress many institutions have made on locking down customer data. Perfect security is impossible, but the stakes are incredibly high and many large organisations still overlook basic errors.

The good news is that exposed data does not necessarily mean stolen data. There's a chance that no one stumbled across this trove before the company had the chance to secure it. But unlike other data leaks of similar scale, which largely involve password and username combinations, the data in the First American haul would have devastating long-term consequences for potential victims.

If you’re a First American customer or think you were party to a transaction that also involved the company there isn’t a lot you can do to protect yourself against the possibility that your data was stolen as a result of this exposure. But watch your bank and credit card statements for suspicious activity. Consider purchasing credit monitoring or, better yet, avail yourself of a free credit monitoring offer from another security incident your data was involved in. By this point, you've almost certainly qualified for it. You can also consider a credit freeze.

Security practitioners always hope that major security incidents, like the notorious Equifax breach, will be a wake-up call to all companies. But the consequences for such missteps are only first starting to appear. 

For example, Moody’s recently downgraded its ratings outlook for Equifax. A spokesperson said, “It’s the first time that cyber has been a named factor in an outlook change." Until other dramatic economic motivators emerge, disasters like First American, or worse, will continue.

Wired:        Krebs On Security:

You Might Also Read:

Tesco Bank Fined £16.4m For Exposing Customers:

UK Fallout From The Massive Breach At Equifax:

 

« Britain Hacks Back
DDoS Attacks Up By 84% In Q1 »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

PlaxidityX

PlaxidityX

PlaxidityX (formerly Argus Cyber Security) is a global leader in mobility cyber security, provides DevSecOps, vehicle protection and fleet protection technologies and services.

PFP Cybersecurity

PFP Cybersecurity

PFP provides a SaaS solution for life-cycle protection based on our IoT security platform and power usage analytics.

InPhySec

InPhySec

InPhySec is a leading New Zealand information, physical and cyber security company.

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI) is an independent, global think-tank. We bring together the world’s top global researchers to undertake ground-breaking research on blockchain technology.

InfoLock

InfoLock

Infolock are experts in data governance, providing consulting and advisory services that help organizations effectively secure, manage, and optimize their data.

Networks Unlimited

Networks Unlimited

Networks Unlimited is a leading value-added distributor in Africa, providing technology solutions with a focus on security, networking, enterprise systems management and cloud technologies.

ChaosSearch

ChaosSearch

ChaosSearch is a massively scalable ELK-compatible log analysis platform delivered as a fully managed service with high-performance and low cost.

Halborn

Halborn

Elite blockchain cybersecurity. Award-winning ethical blockchain hackers to secure your stack end-to-end. Far beyond smart contracts.

Brennan IT

Brennan IT

For over 25 years, Brennan’s expert team has helped businesses achieve real success through innovative and secure technology solutions.

AnzenSage

AnzenSage

AnzenSage is a cybersecurity advisory consultancy specializing in security risk resilience for the food sector: agriculture, food manufacturing, food supply chain, vineyards, and wineries.

VP Techno Labs

VP Techno Labs

VP Techno Labs is an award-winning cybersecurity firm focusing only cybersecurity to develop cutting edge solutions for emerging business.

Offensive Security Manager (OSM)

Offensive Security Manager (OSM)

Offensive Security Manager is the ultimate AI software that will enforce offensive security automation, orchestration, coverage, ensure quality, and lets you manage whole process.

CyberEPQ

CyberEPQ

CyberEPQ (Cyber Extended Project Qualification) is the UK’s first and only Extended Project Qualification in Cyber Security.

Instil Software

Instil Software

Instil helps technology brands transform, innovate and disrupt their markets with category-defining software products that challenge us to think, feel and act in new ways.

Ciena

Ciena

Ciena is a global leader in optical and routing systems, services, and automation software. We build the world’s most adaptive networks to address ever-increasing digital demands.

Mitigata

Mitigata

Welcome to Mitigata, your premier partner in cybersecurity insurance, defence, compliance, and consultancy.