A leading US real estate and mortgage insurer, First American Financial Corp., left vulnerable an enormous trove of digital documents, some of which may have contained Social Security numbers and bank account information.
Bad actors only needed a web address to view the documents as they were left without password protection or other encryption, according to a Friday post from the popular cybersecurity blog Krebs on Security, which is run by journalist Brian Krebs.
The information had been hosted online since at least March 2017, according to the post, and nearly 900 million files may have been exposed, though it is not clear if any were improperly accessed.
Some of the documents included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers’ license images, according to the Krebs post.
First American confirmed in a statement to CNN Business Saturday that “On May 24th, First American learned of a design defect in one of its production applications that made possible unauthorized access to customer data.”
“The company took immediate action to address the situation and shut down external access to the application,” the statement reads. “We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
The company did not confirm how many documents may have been exposed or detail how many customers could have been impacted over what time period.
Krebs said it notified First American of the vulnerability on Friday.
According to the Krebs blog, it was extremely easy to access the documents: if a person knew the URL of one document — say if First American sent you a link to a document involved in your real estate loan — slightly tweaking the last few digits of the web address could take the user directly to another person’s sensitive information. The security experts were able to find documents going back to 2003.
It noted that data vulnerabilities of this type are common yet preventable. Jewelry maker Kay Jewelers, financial services firm Fiserv, and identity theft protection service LifeLock have all remedied similar exposures in the past year, the post said.