[BreachExchange] Millions of real estate records were publicly accessible due to lax security

Destry Winant destry at riskbasedsecurity.com
Tue May 28 10:06:07 EDT 2019 

https://www.digitaltrends.com/news/real-estate-records-exposed/

A major financial services company, First American Corporation, has
left millions of records publicly accessible on its servers. The data
included bank account details, bank statements, mortgage records,
driver’s license images, and Social Security numbers, and was
available to access without authorization by anyone who connected to
an area of the company’s website.

The company provides title insurance and settlement services, and is a
major player in the real estate and mortgage industries. The publicly
accessible data was discovered by a real estate developer who reported
it to the company but got no response. He then shared the finding with
an online security blog.

“Closing agencies are supposed to be the only neutral party that
doesn’t represent someone else’s interest, and you’re required to have
title insurance if you have any kind of mortgage,” Ben Shoval, the
developer who discovered the leak, said to KrebsOnSecurity. “The title
insurance agency collects all kinds of documents from both the buyer
and seller, including Social Security numbers, drivers licenses,
account statements, and even internal corporate documents if you’re a
small business. You give them all kinds of private information and you
expect that to stay private.”

As many as 885 million files were accessible, dating back to 2003. It
is not known at this time how long the documents were exposed for, but
they were available from at least March 2017. First American
Corporation has not confirmed how many people’s data was vulnerable or
whether cyber criminalscould have been aware of the data before this
week.

The company learned about the accessibility of the documents on Friday
and reported that it immediately blocked external access to them and
began an investigation into any resulting security issues.

“First American has learned of a design defect in an application that
made possible unauthorized access to customer data,” a First American
spokesperson said in a statement shared with KrebsOnSecurity. “At
First American, security, privacy and confidentiality are of the
highest priority and we are committed to protecting our customers’
information. The company took immediate action to address the
situation and shut down external access to the application. We are
currently evaluating what effect, if any, this had on the security of
customer information. We will have no further comment until our
internal review is completed.”

More information about the BreachExchange mailing list