First American shut down external access to an application on Friday after cybersecurity expert Brian Krebs alerted the title insurer that millions of records were exposed online.
“The digitized records – including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images – were available without authentication to anyone with a Web browser,” Krebs wrote.
Krebs, widely followed by security experts via his krebsonsecurity.com website, said the documents he accessed included current records as well as data going back to 2003. He said he didn’t know if anyone had accessed the information for criminal purposes.
“As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings,” Krebs wrote. “By 2 p.m. ET Friday, the company had disabled the site that served the records. It’s not yet clear how long the site remained in its promiscuous state, but archive.org shows documents available from the site dating back to at least March 2017.”
Krebs posted an image of a record he got from the site related to the sale of a home in Scottsdale, Arizona. The document included Social Security number, mobile phone number, home address, email address and marital status. Krebs redacted that information to protect the seller’s privacy.
There is no evidence the security hole was exploited, First American said in a regulatory filing today. If that changes, the company will notify affected customers and provide credit monitoring services to them, the company said.
“An outside forensic firm has been retained to aid in assessing the extent to which any customer information may have been compromised,” First American said in the filing with the Securities and Exchange Commission. “Though the ongoing investigation is in its early stages, at this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred.”
First American set up a web page it said it will use to provide updates on the security incident. Click here to access it.
Also included in the SEC filing was a statement from First American CEO Dennis Gilmore: “We deeply regret the concern this defect has caused. We are thoroughly investigating this matter and are fully committed to protecting the security, privacy and confidentiality of the information entrusted to us by our customers.”
Earlier, First American gave the following statement to Krebs:
“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
Krebs detailed how criminals could use the information if they downloaded it before First American blocked access:
“The information exposed by First American would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters,” Krebs wrote.
“According to the FBI, BEC scams are the most costly form of cybercrime today,” he said. “Armed with a single link to a First American document, BEC scammers would have an endless supply of very convincing phishing templates to use. A database like this also would give fraudsters a constant feed of new information about upcoming real estate financial transactions – including the email addresses, names and phone numbers of the closing agents and buyers.”
Publisher’s Note: This story has been updated by HousingWire to reflect information impact categories per standards set by the National Institute of Standards and Technology and other information security experts. At this time, per HousingWire definitions, the Publisher is classifying this incident as a data exposure. (June 3, 2019)