In among the largest breaches of customer records to have happened so far this year, American real estate insurance giant First American exposed approximately 885 million data records on its website that could be accessed by anyone without clearing authentication checks.
First reported by security researcher Brian Krebs, the massive data dump included digitised records dating back to 2003 and contained vast amounts of personal data including social security numbers, bank account numbers and statements, mortgage and tax records, wire transaction receipts, and drivers license images.
These digital records were stored on the website of First American and could be accessed by anyone with a link to individual data records. Each document was stored under a web link with a nine-digit reference number and by changing a single digit on such links, visitors could access multiple digitised documents.
The earliest document available on the First American website dated back to 2003 and in all, Krebs observed the presence of aproximately 85 million documents such as Social Security numbers, drivers licenses, account statements, and other documents that customers provided to First American in order to avail title insurance.
First American data records could have been exploited by scammers
According to Krebs, the information exposed by First American could have been “a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters.”
“Armed with a single link to a First American document, BEC scammers would have an endless supply of very convincing phishing templates to use. A database like this also would give fraudsters a constant feed of new information about upcoming real estate financial transactions — including the email addresses, names and phone numbers of the closing agents and buyers,” he added.
Even though the unsecured data records on the First American website could have exposed personal information of hundreds of thousands, or perhaps millions of Americans, Krebs said that there is no evidence of fraudsters accessing such documents or mass-harvesting vast amounts of data from the website. First American has not disclosed the total number of people affected by the data leak so far.
“First American has learned of a design defect in an application that made possible unauthorised access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.
“The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorised access to our customer data,” said a company spokesperson.