This vulnerability exposed digitized records such as mortgage and tax records, bank account numbers and statements, wire transaction receipts, social security numbers, and drivers license images without authentication. However, the company said that it had disabled the part of its website that served those files around 2 PM ET on Friday, and thereby addressed the vulnerability soon after it was notified by KrebsOnSecurity.
First American Financial Corp. has fixed a weakness in its site that appears to have exposed more than 885 million records related to mortgage deals going back to 2003 https://t.co/joo3sdVDZF Data exposed: SSNs, bank acct info, DL scans, mortgage/tax records, wire details pic.twitter.com/nEKb51JjLj
— briankrebs (@briankrebs) May 24, 2019
“We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed”, the company said in a statement.
According to KrebsOnSecurity, “Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers.”
Ben Shoval, the developer who notified KrebsOnSecurity about the data exposure, said, “That’s because First American is one of the most widely-used companies for real estate title insurance and for closing real estate deals — where both parties to the sale meet in a room and sign stacks of legal documents.”
Shoval even shared a document link given by First American from a recent transaction, which pointed to a record number that was nine digits long and which dated April 2019. Modifying the document number in the link by numbers in either direction would yield other peoples’ records before or after the same date and time.
The earliest document number that was available on the site was 000000075 that pointed a real estate transaction from 2003.
A spokesperson from the First American Financial Corporation shared the following statement:
“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
The information leaked by First American would have been misused by scammers involved in Business Email Compromise (BEC) scams, which would impersonate real estate agents.
First American security team right now. pic.twitter.com/aaMDU6OFg1
— Scott Van Sande (@scottpants) May 24, 2019
No surprise here
— marty kubalanza (@aznalabukm) May 27, 2019
To know more about this news, check out the post by KrebsOnSecurity.