[BreachExchange] First American Hit With Class Action Lawsuit Over Massive Data Exposure

Destry Winant destry at riskbasedsecurity.com
Wed May 29 10:11:06 EDT 2019


https://www.forbes.com/sites/ajdellinger/2019/05/28/first-american-hit-with-class-action-lawsuit-over-massive-data-exposure/#1fae5f1d59c3

Last week it was revealed that insurance giant First American
Financial left more than 885 million sensitive documents dating as far
back as 2003 exposed online. Now the company is facing a class action
lawsuit for its apparent negligence. Gibbs Law Group LLP announced
today that it is bringing the first nationwide class action lawsuit
against the multibillion-dollar corporation.

The legal action, filed with the United States District Court for the
Central District of California, is being brought by David Gritz, a
Pennsylvania resident who has flipped multiple houses. First American
was the title insurer for at least 11 of his housing transactions,
according to the lawsuit. The complaint suggests the members of the
class affected by First American's data exposure could be in the
millions, and the lawsuit is seeking over $5 million.

The complaint focuses on a vulnerability discovered on First
American's website that allowed anyone to gain access to sensitive
documents without needing a password or any sort of authentication.
The information was available to anyone that knew or guessed the
correct URL. The exposed files contained bank account numbers, bank
statements, mortgage records, tax documents, wire transfer receipts
Social Security numbers and photos of driver's licenses.

According to the lawsuit, the exposure of that information was a
significant violation of privacy promised by First American. The
company's privacy policy claims it is "committed to safeguarding
customer information" and claims to use its "best efforts to ensure
that no unauthorized parties have access" to any customer data. First
American also claims to "restrict access to nonpublic personal
information" about its clients to "those individuals and entities who
need to know that information."

The data exposure seems to undermine those promises. While the
situation isn't a data breach, the company did leave sensitive
information available for third parties to view. It's not clear that
any malicious or unauthorized parties actually did gain access to the
files, other than the researchers who discovered the exposure.
However, it is clear that the data was left accessible and
unprotected—and some of the exposed documents were cached by search
engines and still available to view online.

In addition to the uncomfortable fact that sensitive information was
sitting online without protection, it's possible that if the
information was harvested by a malicious actor that it could be used
to compromise the privacy and security individuals or businesses. The
lawsuit alleges that First American has exposed its customers to the
potential for identity theft and other cyber crimes.

“Consumers did not deserve for their personal information to be
treated so recklessly,” Andre Mura of Gibbs Law Group said in a
statement.

“It is shocking that a company of this magnitude would blatantly
disregard the most basic safety protocols when housing troves of
highly-sensitive, personal information,” data breach attorney David
Berger added.


More information about the BreachExchange mailing list