First American Financial, one of the country’s largest real estate title insurers, potentially exposed personal information in hundreds of millions of documents dating back to 2003.
A Fortune 500 company, First American is one of the most widely-used companies for title insurance and real estate closings, with hundreds of millions of records in its databases.
In this instance, First American’s databases did not require any authentication for access, allowing anyone with a valid link to the database to simply change a numeric code to find additional documentation. Due to the nature of the incident, it is unknown how many of the 885 million digital records stored by First American were breached.
Within the digital files were wire transfer records containing banking information for the seller and buyer, mortgage information to include names, addresses, Social Security Numbers, and a litany of other personal information. The database has been active since 2017 and contains files dating back to the earliest online transactions – document 000000075 – in 2003.
First American issued a statement to KrebsOnSecurity.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
Due to the lack of authentication, First American cannot speak to who accessed the database or for what purpose. The company is facing a lawsuit in California over security concerns in what has the potential to be one of the largest data breaches on record.
Cybercriminals would have found a virtual treasure trove of information in the database, allowing for more targeted phishing, ransomware, and wire-fraud to steal from the unsuspecting masses.
Businesses that deal with personal information have the added need for strict cybersecurity measures to ensure that data is not compromised. Archetype SC’s security engineers have decades of experience working in some of the largest businesses in the world to help secure data, respond to breaches, and ensure proper access for users. Keep your data under lock and key by working with Archetype SC.