Understanding The First American Financial Data Leak: How Did It Happen?

  Back to News

Memorial Day weekend got off to a rough start for millions of Americans when security researcher Brian Krebs reported the discovery of more than 885 million sensitive documents exposed online by insurance giant First American Financial. Those files stored on the company's website, firstam.com, contained bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts Social Security numbers and photos of driver's licenses. All of that information, which dated back to 2003, was available without any sort of protection and could be accessed without so much as a password—as long as a person knew where to look.

When a data leak like this occurs, it can be hard to tell just how severe it is. Without question, it's a troubling occurrence and does not inspire confidence in First American's capabilities to protect customer data.  What makes it challenging to fully understand how widespread the effect of this leak is the fact that this information simply sat exposed online. There wasn't a clear breach of the company's servers or evidence that a malicious third-party gained access to files without permission. This isn't an Equifax situation, though it certainly has the capacity to be every bit as devastating if someone with bad intentions discovered this data first.

What happened in the case of First American Financial is a relatively common website design error called Insecure Direct Object Reference (IDOR), according to Dave Farrow, Senior Director of Information Security at Barracuda Networks. Essentially, a link to a webpage with sensitive information is created and intended to only be seen by a specific party, but there is no method to actually verify the identity of who is viewing the link. As a result, anyone who discovers a link to one document can view it—and can discover any of the other documents hosted on the site by simply modifying the link.

"No end user compromise is necessary," Farrow said. "The hacker has simply identified an authorization error in the website and walked through the front door."

Even after discovering the IDOR issue, accessing documents manually is a time-intensive task that requires a bit of guesswork and pattern identification—though, given the information that is exposed here, it may well be worth the time for an attacker to put in that labor. However, things get significantly easy for an attacker (and significantly worse for potential victims) if the information is somehow mass harvested.

It's possible that information from First American could have been collected and indexed by bots. Done carelessly, such an effort might tip off the defenses of First American and result in the company deflecting the malicious attempts to access documents. But carried out through a "low and slow" attack, which uses fewer requests to avoid detection, it's possible that someone could have scooped up a considerable chunk of the sensitive documents hosted on the site.

According to data provided by Distil Networks, advanced persistent bots (APBs) are often used to carry out these types of attacks. They also made up 73.6 percent of all "bad bot" traffic in 2018. According to the company, these bots often avoid typical triggers that malicious attacks would hit, like failed login attempts and excessive traffic from a single IP address. While Krebs said in his report that there is no clear indication such an attack did happen, he noted that even a "novice attacker" could carry out such a scheme and could go undetected.

Even if this information existed online, undetected by anyone, at least some of it was still captured by search engines. According to First American, cached versions of at least 6,000 exposed documents were still readable online. The company is making efforts to remove them, but those documents simply exist online with sensitive information readily available to anyone who finds them.

With a considerable amount of valuable information both still online and potentially collected by a bad actor, there now looms the threat that someone may use that information in a malicious way. That will most likely manifest in a Business Email Compromise (BEC), according to Barracuda Networks' Farrow. These types of attacks are typically phishing and social engineering schemes used to gain access to a company's network or other sensitive information.

With a trove of customer data out there, it wouldn't be difficult for an attacker to impersonate a First American client and either attempt to change details or an agreement, ask for additional information that could lead to financial gain, or even redirect a wire transfer to their own account. Barracuda Networks estimates these types of attacks represent over $12 billion in losses to businesses.

We are seeing an increasing trend in BEC attacks where hackers take over legitimate accounts, learn about organizational details and any deals in process. They then launch a well-timed BEC attack from compromised accounts asking for wire transfers or introducing last minute changes to account details to defraud organizations. Because these attacks originate from legitimate accounts and often target internal employees many email security solutions will struggle to detect and block the attack.

The trouble with a data exposure like the one at First American is that it's hard to pinpoint exactly how many people are actually affected. If everyone got lucky, this huge cache of sensitive files sat online, undetected and most everyone is in the clear. But the worst case scenario is that every last one of those files was captured, saved, and could be used in the future to target individuals and companies.

First American has yet to provide any assistance to help its customers protect themselves. If you've done business with First American at any point since 2003, it may be best to freeze your credit at major credit bureaus for the time being. Doing so will prevent any unauthorized parties from taking out loans or starting a line of credit in your name without your permission.

This content has been reproduced from its original source.

SHARE:

  BACK

How Title Fraud Works

Thieves simply change ownership of your home from YOU to THEM. Then they TAKE OUT LOANS on your home and just disappear - leaving YOU with the payments and a mountain of legal bills.

Click to see if your home's title has been compromised.
Get your FREE TITLE SCAN and COMPREHENSIVE TITLE REPORT (a $100 value FREE with sign up)

SIGN UP TODAY

Speak to a live agent
(800) 899-6268

100% Money Back Guarantee Within First 60 Days


Home Title Lock

Property ownership is not just the American dream, it's also the most flexible financial tool to build family prosperity. Home Title Lock ensures that your assets are protected against Title Fraud and Title Thieves.

Find Out More


You Need Home Title Lock to Protect Your Property

Thirty years ago we started creating the largest database of property records in the United States. Today, that database has 6.1 billion property records. We protect your property value and ownership from on-line threats both foreign and domestic.

GET PROTECTED

Speak to a live agent
(800) 899-6268


Watch This Now

SIGN UP TODAY

How Easily Title Fraud Occurs

EVERYTHING is stored online in the cloud - including your home's title

1

Domestic and international thieves scour online records for homes with equity. It could be the home you live in, your vacation home, a home of an elderly relative, or rental property you own.


2

Once they change your home's ownership from YOU to THEM, they re-file the Quitclaim Deed for your home with the proper authorities so it appears your home has been legally sold.


3

They take out personal loans through banks and online lenders using all your home's equity. You likely won't know you're a victim until you start receiving late payments or foreclosure notices.

Click to see if your home's title has been compromised.
Get your FREE TITLE SCAN and COMPREHENSIVE TITLE REPORT (a $100 value FREE with sign up)

FREE 30-Day Trial

Speak to a live agent
(800) 899-6268

ACCORDING TO THE FBI:
Title and Mortgage Fraud are the fastest growing white collar crimes in America.

Everything is stored online these days - including your home's title. Domestic and international cyber-thieves target U.S. homeowners equity in their homes. Removing you from your home's title takes just minutes. Then they forge their name on the title document and refile it. Next, they take out loans using your home's equity and stick you with the payments. You likely won't know until you get a late payment or foreclosure notice from several banks.

Get your FREE TITLE SCAN and COMPREHENSIVE TITLE REPORT (a $100 value FREE with sign up)

FREE 30-Day Trial  

Title Fraud is NOT COVERED by

Your Bank

Legal Trust

Homeowners Insurance

Identity Theft Protection

You Need Home Title Lock to Protect Your Property

GET PROTECTED
Sign Up  

Activate Title Lock alerts and secure your property from fraudulent title filings