A whistleblower and a security researcher have reported a data leak of epic proportions. Their discovery: a trove of more than 800 million mortgage documents overflowing with incredibly sensitive personal data that includes detailed bank account information.
The documents were scanned copies and they were leaking from firstam.com, the website of First American Financial. First American is a Fortune 500 provider of title insurance and real estate settlement services.
The digitized copies were only meant to be viewed by the parties involved in a given transaction. In reality, however, they could have been accessed by anyone who happened to have a valid link.
There were no security measures of any kind protecting the page. No usernames. No passwords. No two-factor authentication.
Worse yet, the files were sequentially numbered. If you started at one number you could simply add or subtract to sneak a peek at someone else’s mortgage documents.
Security researcher Brian Krebs received a tip about the leak from software developer Ben Shoval. Shoval stumbled upon the leak in the worst way possible — after visiting a link to his own documents.
Krebs validated Shoval’s report and went as far back in time as the system allowed. The earliest document he discovered dated all the way back to 2003. Numbers closer to the upper limit of the 885 million total were from present-day deals.
A great number of the exposed files appear to be forms relating to wire transfers. That’s logical enough, given the role that First American plays in real estate and mortgage transactions.
It’s also incredibly alarming. These documents contain names, email and physical addresses, dates of birth, social security numbers, bank account numbers, lender details, and loads of other data that fraudsters and identity thieves can’t wait to get their hands on.
First American has plugged the hole for now and the page was inaccessible as of earlier today. Krebs noted that he didn’t “have any information to suggest the documents were somehow mass-harvested,” thought it’s certainly possible they were.
All it would take is a fairly simple script that could run through numbers one at a time and save the documents that appeared after each change… child’s play for even a modestly-skilled hacker.
First American has provided the following comment while it investigates the situation: “First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”