After a solid decade of unstopped business violations and exposures, you'd think big organizations would at least have solved the most basic and obviously damaging types of computer abuse. But it is clearly still a long way to go. On Friday, independent security journalist Brian Krebs revealed that the real estate and title insurance giant First American had 885 million sensitive customer-funded records, dating back to 2003, exposed on the website for anyone to access. And while there is currently no evidence that anyone actually found and stole the information, it was so easy to grab – and obviously valuable to scammers – that it is difficult to exclude that opportunity.
Krebs reports that the exposed records include social security numbers, driver's license photos, bank account numbers and statements, mortgages and tax documents, and wire transaction receipts — an absolute treasure chest for any fraud or identity thief. An attacker who found out the format of the company's document addresses could have entered a "record number" they wanted ̵[ads1]1; the beginning of "000000075", according to Krebs and draw up the documents associated with that particular customer case. First American took down the place that populated the records at 2:00 ET on Friday. Krebs notified the company about the situation earlier this week.
"The first American has learned from a design defect in a program that allowed unauthorized access to customer data," the company said in a statement. "The company immediately took steps to address the situation and terminate remote access to the application. We are currently evaluating the effect, if any, on the security of customer information. We will not have any further comments before our internal review is completed."
First American did not answer questions from WIRED about how long the records were exposed online. The company says it has hired a forensic company to assess whether customer data was stolen. First American, based in Santa Ana, California, is a Fortune 500 company with more than 18,000 employees.
Who is affected
Well, many people! First American is the top title insurance company in the United States, which means that the company is often a party to both the buyer and the lender side of real estate transactions across the country. And the detailed financial and personal information involved in closure involves potential information about both buyers and sellers.
While hope is that the data was never stolen, millions of people could have been affected if it was. If you have bought or sold a house over the past few years, there is a decent chance. First American had a hand in it.
How serious is this?
The first US exposure is an important event, because it only emphasizes how little progress many institutions have made in unlocking customer data. Perfect security is impossible, but the stakes are incredibly high, and many large organizations still see basic errors.
The good news is that exposed data does not necessarily mean stolen data. There is a chance that no one stumbled upon this belief before the company had the chance to secure it. But unlike other data leaks of similar scale, which largely involve passwords and username combinations, the data in First American haul will have devastating long-term consequences for potential victims.
If you are the first US customer or think you were party to a transaction that also involved the company, there is not much you can do to protect yourself from the possibility that your data was stolen as a result of this exposure. But look at bank and credit card details for suspicious activity. Consider purchasing credit monitoring or, better yet, making use of a free credit monitoring offer from another security event in which your data was involved. At this point, you almost certainly qualify for it. You can also consider a credit freezing.
Security practitioners always hope that major security events, such as the infamous Equifax breach, will be a wake-up call to all businesses. However, the consequences for such errors first begin to appear. On Wednesday, for example, Moody's downgraded its rating for Equifax. A spokesperson said, "It's the first time cyber has been a named factor in a prospect change." To other dramatic economic motivators emerging, disasters like First American, or worse, will continue.