First American shut down external access to an application on Friday after cybersecurity expert Brian Krebs alerted the title insurer that millions of records were exposed online.
“The digitized records – including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images – were available without authentication to anyone with a Web browser,” Krebs wrote.
Krebs, widely followed by security experts via his krebsonsecurity.com website, said the documents he accessed included current records as well as data going back to 2003. He said he didn’t know if anyone had accessed the information for criminal purposes.
“As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings,” Krebs wrote. “By 2 p.m. ET Friday, the company had disabled the site that served the records. It’s not yet clear how long the site remained in its promiscuous state, but archive.org shows documents available from the site dating back to at least March 2017.”
Krebs posted an image of a record he got from the site related to the sale of a home in Scottsdale, Arizona. The document included Social Security number, mobile phone number, home address, email address and marital status. Krebs redacted that information to protect the seller’s privacy.
There is no evidence the security hole was exploited, First American said in a regulatory filing today. If that changes, the company will notify affected customers and provide credit monitoring services to them, the company said.
“An outside forensic firm has been retained to aid in assessing the extent to which any customer information may have been compromised,” First American said in the filing with the Securities and Exchange Commission. “Though the ongoing investigation is in its early stages, at this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred.”
First American set up a web page it said it will use to provide updates on the security breach. Click here to access it.
Read the Rest Here