First American Financial Corp. left hundreds of millions of sensitive financial documents unprotected on its website dating back as far as 2003.
The security hole, discovered by Washington real estate developer Ben Shoval and reported by security expert Brian Krebs, allowed anyone with a web browser full access to digitized records related to mortgage deals. Among the leaked information were bank account numbers, Social Security numbers, and scans of driver licenses.
The documents on the site were accessible by simply changing a single digit on a verified URL. The company used a simple nine-digit number in every document on its site starting with 000000075, with every successive number corresponding to another person’s document.
“As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings,” Krebs reported on his findings.
“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, driver licenses, account statements, and even internal corporate documents if you’re a small business,” Shoval said. “You give them all kinds of private information and you expect that to stay private.”
First American took the exposed website offline on the afternoon of Friday, May 24th, and a spokesperson released the following statement:
“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
You can read more about the data leak here.