Title Company Exposes 16 Years of US Mortgage Data
Breach Response
,
Data Breach
,
Identity & Access Management
First American Mortgage Corp. Left Documents on Web Without Authentication
If there's one transaction where a person's financial life is laid bare to many external parties, it's buying a house. The sheer number of documents that get shuffled around is a huge potential score for an identity thief.
See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys
And on Friday Brian Krebs revealed an astounding data exposure at First American Financial Corp. of Santa Clara, Calif., which is one of the largest providers of title insurance and settlement services for homebuyers in the U.S. The company registered $5.7 billon revenue in 2018, according to its annual report.
Krebs was tipped off by real estate developer Ben Shoval that the company's website had exposed 885 million housing-related files going back to 2003.
The documents included wire transactions with bank account numbers and post-dated PDFs for upcoming closings. Other documents included tax records and drivers license images. The data is now offline.
Still in Cache
A redacted document posted by Krebs was labeled "seller information" and includes the person's name, marital status, physical address, email address, mortgage lender and Social Security number.
Shoval tells Krebs he discovered that with a valid link to American First's data trove, incrementing a single digit in the link could bring up other documents without any authentication. The type of vulnerability, an insecure direct object reference, is an elementary but common one in web applications.
"The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data."
—First American Mortgage Corp.
Shoval notified Krebs after failing to receive a response from First American. By Friday afternoon EST, First American had disabled the site.
But TechCrunch reports that as many as 6,000 documents are still in the cache of search engines, although First American was taking steps to get that data removed.
Investigation Underway
Krebs writes it appears that the files are organized sequentially, with the earliest records have a lower nine-digit number than the later ones. He found one "000000075" - which appeared to be from 2003.
A First American spokesman tells ISMG "the company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information."
The spokesman says First American has hired a forensics firm to determine if there was "any meaningful unauthorized access to our customer data." The company didn't specify how many people may be affected.
First American didn't answer questions as to whether it planned to notify those whose data was exposed or regulators.
As Krebs point out, the risk is that attackers did discover the data and slowly accessed it so as not to trigger anti-bot detection mechanisms. But another problem is that access logs are typically discarded. If First American's data exposure has been a multi-year problem, there'd be no forensic data left, making it difficult to assess the ongoing risk.
Gloss