Brian Krebs has revealed that a company that primarily works in real estate insurance has left as many as 885 million records exposed on its website — going back to 2003. First American Financial Corp’s big mistake should have been obvious to anybody who would have given a second thought to security. If you had the URL for any document on its website, you could simply add or subtract one to a number in the URL to access another document.
Given the type of business this company is in, those records include incredibly private information. Krebs spoke with Ben Shoval, who brought the exposure to his attention and who says the documents potentially included “Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business.”
As of today, the company has closed the hole in its website security. Right now, we can’t know whether anybody actually took advantage of this vulnerability. Contrary to how these sorts of data exposure disclosures usually go, First American Financial isn’t even saying that it has no evidence that the records were accessed. In a statement to Krebs, here’s what it said (emphasis below is ours):
First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.
This afternoon, First American provided a second statement to The Verge, adding that it’s hired a third-party forensic firm to find out if anyone might have accessed the records. Read more