Title Insurance Company Leaks 885 Million Mortgage Records

Brian Krebs reported Santa Ana, Calif.-based First American, a leading provider of title insurance/settlement services to the real estate and mortgage industries, exposed 885 million records going back to 2003.

Brian Krebs in his Krebs on Security blog reported the company’s website was storing digitized records including bank account numbers and statements, mortgage and tax records, and Social Security numbers, wire transaction receipts, and driver’s license images in an enumerable format.

A Washington state real estate developer issue alerted Krebs in mid-May that anyone who knew the URL for a valid document at the First American website could view other documents just by modifying a single digit in the link. KrebsOnSecurity confirmed the real estate developer’s findings, “And this would potentially include anyone who’s ever been sent a document link via email by First American.”

Krebs also reported First American would not comment on the overall number of records potentially exposed via their site, or how long those records were publicly available. But a spokesperson for the company did share the following statement:

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

Nevertheless, First American is facing a class action lawsuit over the data exposure.

“This kind of disclosure isn’t common; usually the back doors are from vulnerabilities that have not yet been discovered or patched,” Byron Rashed, vice president of marketing at Herndon, Va.-based cyberthreat intelligence firm Centripetal, said.  “In this case, there was no authentication – if you stole credentials from somewhere else, you could access all kinds of account information.” Rashed added it is very surprising for a Fortune 500 company to have this kind of security posture. “What they should have done is what most companies do -authenticate with a password or two-factor authentications. This so beyond a textbook example of a breach.”

According to Colin Bastable, CEO of Austin, Texas-based cybersecurity test and training company, Lucy Security, “This is careless and incompetent complacency, and it goes back to 2003. You might have thought that there would have been a security audit in the last 16 years, or that someone would have noticed that data attracts data thieves: ‘Hey, is all this data really secure?’”

Bastable detailed how years ago, a teenager from England managed to roam around Defense Department servers because they had no password protection. “The problem is longstanding. Out of convenience or forgetfulness, and by people making assumptions, so much data is left unguarded.”

Bastable did not stop there. “The distributed and fragmented nature of the U.S. property market, with its many moving parts and multiple actors having a hand in each property transaction (for a slice of the action), means that ease of access to data is given greater priority than security of the data.” The Lucy Security CEO noted to cut costs, large corporations outsource many functions to third parties who all need access to the data, not unlike the U.S. healthcare industry. “Government adds to the problem by requiring multiple audit trails and adding layers of compliance. So, we should not be surprised that data security is chronically impaired in the U.S. property market. The technologies and policies and procedures have long existed to secure this type of data, but somehow it is often too inconvenient to apply them.”

Tyler Owen, director, solution engineering at San Jose-based cloud security company CipherCloud also commented. “Unfortunately, these types of data leakages are quite common. In the past two weeks we have seen multiple databases of millions of records exposed with no authentication or controls. Often times there are easy fixes for many of these breaches with the appropriate planning and right tools.”