After a solid decade of nonstop corporate data breaches and exposures, you'd think large organizations would have at least fixed the most basic and obviously damaging types of data mishandling. But there's clearly still a long way to go. On Friday, independent security journalist Brian Krebs revealed that the real estate and title insurance giant First American had 885 million sensitive customer financial records, going back to 2003, exposed on its website for anyone to access. And while there isn't currently evidence that anyone actually found and stole the information, it was so easy to grab—and so obviously valuable to scammers—that it's hard to rule out that possibility.
Krebs reports that the exposed records included Social Security numbers, driver's license images, bank account numbers and statements, mortgage and tax documents, and wire transaction receipts—an absolute treasure trove for any scammer or identity thief. An attacker who figured out the format of the company's document URLs could have input any "record number" they wanted—beginning with "000000075," according to Krebs—and pull up the documents associated with that customer case. First American took down the site that populated the records at 2 pm ET on Friday. Krebs notified the company of the situation earlier this week.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data," the company said in a statement.
The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
First American did not answer questions from WIRED about how long the records were exposed online. The company says it has hired a forensic firm to assess whether customer data was ever stolen. First American, which is based in Santa Ana, California, is a Fortune 500 company with more than 18,000 employees.
Well, lots of people! First American is the top title insurance firm in the United States, which means the company is often party to both the buyer and lender sides of real estate transactions across the country. And the detailed financial and personal information involved in closings potentially involves information about both buyers and sellers.
While the hope is that the data was never actually stolen, millions of people may have been impacted if it was. If you've bought or sold a house in the past several years, there's a decent chance First American had a hand in it.
The First American exposure is a major incident, because it underscores just how little progress many institutions have made on locking down customer data. Perfect security is impossible, but the stakes are incredibly high and many large organizations still overlook basic errors.
The good news is that exposed data does not necessarily mean stolen data. There's a chance that no one stumbled across this trove before the company had the chance to secure it. But unlike other data leaks of similar scale, which largely involve password and username combinations, the data in the First American haul would have devastating long-term consequences for potential victims.
If you’re a First American customer or think you were party to a transaction that also involved the company there isn’t a lot you can do to protect yourself against the possibility that your data was stolen as a result of this exposure. But watch your bank and credit card statements for suspicious activity. Consider purchasing credit monitoring or, better yet, avail yourself of a free credit monitoring offer from another security incident your data was involved in. By this point, you've almost certainly qualified for it. You can also consider a credit freeze.
Security practitioners always hope that major security incidents, like the notorious Equifax breach, will be a wake up call to all companies. But the consequences for such missteps are only first starting to appear. On Wednesday, for example, Moody’s downgraded its ratings outlook for Equifax. A spokesperson said, “It’s the first time that cyber has been a named factor in an outlook change." Until other dramatic economic motivators emerge, disasters like First American, or worse, will continue.
This content has been reproduced from its original source.
SHARE:Thieves simply change ownership of your home from YOU to THEM. Then they TAKE OUT LOANS on your home and just disappear - leaving YOU with the payments and a mountain of legal bills.
Click to see if your home's title has been compromised.
Get your FREE TITLE SCAN and COMPREHENSIVE TITLE REPORT (a $100 value FREE with sign up)
Speak to a live agent
(800) 899-6268
Money Back Guarantee
"I've been a Home Title Lock customer for 2 years. Their customer service is excellent and I most appreciate the comfort that comes from knowing that I will be immediately alerted and assisted if anyone ever attempts to fraudulently use my title."
Property ownership is not just the American dream, it's also the most flexible financial tool to build family prosperity. Home Title Lock ensures that your assets are protected against Title Fraud and Title Thieves.
Thirty years ago we started creating the largest database of property records in the United States. Today, that database has 6.1 billion property records. We protect your property value and ownership from on-line threats both foreign and domestic.
Speak to a live agent
(800) 899-6268
Five charged with deed fraud involving North and West Philly properties
Five people who city prosecutors said Monday had been arrested on charges that they used forged deeds to steal houses. They face counts of fraud, conspiracy, and other offenses in the alleged theft of 11 properties, all but two in North Philadelphia. Most of the allegedly fraudulent transactions were certified by notary Demeshia Harris-Bey, 42, who is also among those charged. Also charged was Harris-Bey’s husband, Robert Harris-Bey, 58; he and his wife are accused in the theft of nine of the properties.
Is home title theft a real thing? You bet it is, and here’s how to protect your property
The Watchdog surveyed the county clerks in Dallas, Denton, Collin and Tarrant counties. I also talked to the company that bombards us with advertising. I have experience covering this. A decade ago, I told the story of Norris Fisher, who stole 170 homes in Tarrant County (some kind of record) before he was shipped off to prison. So yeah, it’s real. Crooks can forge names and use fake notary public seals and change the ownership of your house without you knowing it.
Retired Teacher Evicted from Her Home
Domestic and international thieves scour online records for homes with equity. It could be the home you live in, your vacation home, a home of an elderly relative, or rental property you own.
Once they change your home's ownership from YOU to THEM, they re-file the Quitclaim Deed for your home with the proper authorities so it appears your home has been legally sold.
They take out personal loans through banks and online lenders using all your home's equity. You likely won't know you're a victim until you start receiving late payments or foreclosure notices.
Click to see if your home's title has been compromised.
Get your FREE TITLE SCAN and COMPREHENSIVE TITLE REPORT (a $100 value FREE with sign up)
Speak to a live agent
(800) 899-6268
Everything is stored online these days - including your home's title. Domestic and international cyber-thieves target U.S. homeowners equity in their homes. Removing you from your home's title takes just minutes. Then they forge their name on the title document and refile it. Next, they take out loans using your home's equity and stick you with the payments. You likely won't know until you get a late payment or foreclosure notice from several banks.
Get your FREE TITLE SCAN and COMPREHENSIVE TITLE REPORT (a $100 value FREE with sign up)
SIGNUP TODAY© 2015-2021 Title Lock Corporation. All Rights Reserved.
