Customers' Information Dating Back to 2003 Exposed in a First American Financial Data Leak
Who is responsible for finding security vulnerabilities in software applications and websites? Well, there are people who have this task in their job descriptions. They use their enormous expertise to examine millions of lines of computer code, find out how software applications work, and check for any holes that can be exploited by hackers. As First American Financial's IT team can testify, however, sometimes, security blunders are accidentally found by people whose job isn't connected to data protection in any way. In this particular case, we're talking about a Washington-based real estate developer who has preferred to remain anonymous.
A severe design flaw in First American Financial's website put people's data at risk
First American Financial hosts quite a few extremely sensitive documents on its website – www.firstam.com. When a customer needs to access a certain document, they can get the URL through various different channels.
The unnamed developer had one such URL, and out of curiosity, he decided to modify it slightly. After pressing Enter, the browser loaded a file which he wasn't supposed to be seeing.
Here's a hypothetical example to make things clear. You are a First American Financial customer, and you have given it, among other things, a scan of your driver's license. You have the right to view it, and you have the URL – https://www.firstam.com/dl/100001.jpg. You modify this URL to https://www.firstam.com/dl/100002.jpg, and your browser loads a scan of the driver's license of a person you haven't met.
If you think about how much sensitive information First American Financial collects and stores, you'll see just how severe the threat can be.
The hole could have easily led to identity theft
As you can see, exploiting the flaw and getting access to documents that belong to other people was not difficult at all. Security experts say that automatically scraping the information with the help of a botnet was also possible. This is bad news in light of the nature of the data that was hosted on the vulnerable website.
First American Financial inadvertently exposed a grand total of 885 million files. The oldest of them were dated back to 2003, but there were much more recent documents, and they included wire transactions, bank account numbers and statements, mortgage and tax records, receipts, and Social Security numbers. In other words, the exposed data could have enabled identity theft on a fairly large scale.
First American Financial failed to react as quickly as it should have
As we mentioned already, the design flaw was discovered by a real estate developer who, thankfully, had no intention of stealing someone's identity. Instead, he wanted to ensure that the hole is plugged, but unfortunately, First American Financial wasn't very cooperative.
He wrote in, but he didn't get a response, and he decided that he had no other choice but to share his findings with Brian Krebs. First American Financial was much more willing to act when the cybersecurity reporter got in touch, and the exposed data was finally taken offline. A spokesperson told TechCrunch that the company is in the process of removing cached versions of the files, and that an investigation will reveal if anyone has accessed and used the exposed documents for malicious purposes.
What all this means is that it's difficult to estimate how big the impact of the leak is. For now, the one thing that is absolutely certain is that First American Financial should have reacted as soon as the unnamed real estate developer contacted it.