When it comes to private information, none is more sensitive than our financial data. It’s a holy grail for most cybercriminals, and people around the world pay millions each year to keep it secure from their clutches. If financial data falls into the wrong hands, the results can be truly devastating — with individuals and families losing savings, investments, and potentially their own identity to bad actors. Because of this, it’s no wonder that banks and financial institutions boast some of the most robust security of any platforms on the internet.
Despite this rule of thumb, no organization is completely immune to the treachery of data breaches. In the case of First American Financial, however, a recent breach seems to have sprung from carelessness instead of criminals. The company is one of the nation’s leading settlement and insurance providers, and on its public-facing website, private mortgage information, tax records, and even Social Security numbers can be seen by anyone with an internet connection!
When companies work with our finances, we expect them to maintain a basic level of security that respects our privacy. If personal information is handled this carelessly, hackers don’t even need to bother with intruding — they can immediately start exploiting the insecure data. If you’ve ever worked with this company, or want to know how deep the breach went for consumers, you won’t want to miss this.
How did First American Financial leak so much sensitive information?
As one of the country’s largest title insurance providers, First American has access to financial data of hundreds of millions consumers — including mortgage documents, Social Security numbers, drivers license images, tax records, and bank account numbers.
If a hacker or cybercriminal were to gain access to this information, it would be a treasure trove for identity thieves. A criminal could directly access bank accounts, take out loans in a person’s name, or commit widespread fraud on their behalf.
Data this sensitive is most devastating when exploited, so it’s only natural First American would invest in top-notch security to keep the information private. Indeed, its web infrastructure is stable and protective, but a flaw in its database design made this critical data visible to anyone using a web browser.
The data dated back nearly 16 years — and required no username or password to view. Yikes!
In an exposé by Brian Krebs of Krebs on Security, First American’s website was revealed to not be authenticating browser access to its document listings. The issue was brought to his attention by a real estate developer from Washington who had discovered the leak while viewing documents on his own.
First American regularly sends its users links to documents, with each file labeled by number in the web address. If you ever received a document link from the company, all you would need to do to access another person’s information would be to change the number in the URL. This flaw applies to hundreds of millions of documents, meaning anyone with know-how could skim them en masse.
What is First American doing to protect consumers going forward?
After the flaw was pointed out by Krebs on Security, First American returned with a statement saying it had shut down access to the faulty document links for the time being.
While this does prevent current and future access to this private data, Krebs claims that the internet archive shows the platform was fully accessible as early as March 2017. This means the information has been floating around publicly for over 2 years with zero security or oversight from First American!
For now, this information is inaccessible — which will help deter hackers and cybercriminals who may not have known about the flaw until Krebs pointed it out. In any case, there’s no way to be completely certain this data wasn’t accessed during that 2 year period. Some basic security precautions may be necessary for those who’ve relied on services from First American in the past.
If you’ve used First American Financial in the past 16 years, you should call the company and request to see what information it may have on file for you. Once you’ve verified your information, you’ll want to reach out to your own bank (and potentially credit reporting agencies) if you suspect fraud has occurred using your personal data.
The only thing worse than attempted fraud is letting it sit unreported. Usually, banks and credit reporting agencies will work closely with you to resolve any issues, so any damage can potentially be mitigated.
For the time being, make sure to research any financial organization you choose to work with in the future. Check its track record on data security, and make sure you feel comfortable with the data you’re sharing before you take the plunge. Your wallet will thank you.