New Justin From security reporter Brian Krebs: Real estate insurance giant Fortune 500 First American exposed about 885 million sensitive records due to a bug on its website.
Krebs reported that the company’s website stores and exhibits bank account numbers, statements, mortgage and tax records, social security numbers and driver’s license images in a sequential format. So anyone who knew a valid web address for a document would simply have to change the address. by a number to display other documents, he said.
No authentication was required, such as a password or other controls, to prevent access to other documents.
According to to the Krebs report, the first document was labeled “000000075” – with the most recent documents increasing in numerical order, he said.
The data goes back to at least 2003, Krebs said.
“Many of the files on display are electronic transaction records with bank account numbers and other information from buyers and sellers of homes or property,” Krebs wrote. First American is one of the largest real estate title insurance giants in the United States, winning $ 5.8 billion in revenue in 2018.
First U.S. spokesperson Marcus Ginnaty told TechCrunch:
On May 24, First American learned that a design flaw in one of its production applications made unauthorized access to customer data possible. Security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. Therefore, the company took immediate action to remedy the situation and closed external access to the app. We are currently evaluating what effect, if any, this has had on the security of customer information. We hired an external forensic firm to ensure that there was no significant unauthorized access to our clients’ data.
Although website is down, many documents are still cached in search engines, security researcher says John wethington says TechCrunch. We do not link to the exposed data while the data is still readable. Some 6,000 documents were still on display after the disclosure, the spokesperson said, and the company “was taking appropriate steps to remove the cache in question from search engines.”
This is the latest sensitive mortgage data breach in recent months.
TechCrunch exclusively reported in January a mine of over 24 million financial and banking documents were inadvertently left exposed on a public cloud storage server for anyone to access. The data contained loan and mortgage agreements, repayment schedules, and other highly sensitive financial and tax documents that reveal an intimate glimpse into a person’s financial life.
Updated with remarks from First American and new details on cached data.
