On Friday May 24, 2019, independent security journalist Brian Krebs revealed that real estate and title insurance giant First American had 885 million sensitive customer financial records, going back to 2003, exposed on its website for anyone to access.
Krebs reported that the exposed records included Social Security numbers, driver's license images, bank account numbers and statements, mortgage and tax documents, and wire transaction receipts. The digitized records were available without authentication to anyone with a Web browser.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data," First American said in a statement. "The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
In its statement, the company also stated that an outside forensic firm has been retained to aid in assessing the extent to which any customer information may have been compromised, and that “at this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred.”
The company plans to provide updates on its investigation exclusively on its website.
Gibbs Law Group LLP has filed the first nationwide class action lawsuit accusing First American Title Company of failing to properly secure 885 million sensitive customer files, instead choosing to store them in a “woefully insecure,” publicly accessible system. Specifically, the lawsuit alleges that First American Title Company was negligent and violated its contracts with customers in the way it stored their personal information, leaving them vulnerable to identity theft and other cybercrimes.
As if a wake-up call were needed on the topic of data security, let us hope that this development will encourage all title companies to review their data security practices robustly. Corporate customers of First American (and other title insurance companies) should also consider reviewing their arrangements with the companies to assure that sensitive customer information is properly secured.