First American site bug exposed 885 million sensitive title insurance records

News just in from security reporter Brian Krebs: Fortune 500 real estate insurance giant First American exposed approximately 885 million sensitive records because of a bug in its website.

Krebs reported that the company’s website was storing and exposing bank account numbers, statements, mortgage and tax records, Social Security numbers and driving license images in a sequential format — so anyone who knew a valid web address for a document simply had to change the address by one digit to view other documents, he said.

There was no authentication required — such as a password or other checks — to prevent access to other documents.

According to Krebs’ report, the earliest document was labeled “000000075” — with newer documents increasing in numerical order, he said.

The data goes back at least to 2003, said Krebs.

“Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers,” wrote Krebs. First American is one of the largest real estate title insurance giants in the U.S., earning $5.8 billion in revenue in 2018.

First American spokesperson Marcus Ginnaty told TechCrunch:

On May 24, First American learned of a design defect in one of its production applications that made possible unauthorized access to customer data. Security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. Therefore, the company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.

Although the website was down, many of the documents are still cached in search engines, security researcher John Wethington told TechCrunch. We’re not linking to the exposed data while the data is still readable. Some 6,000 documents were still exposed following the disclosure, the spokesperson said, and the company was “taking the appropriate steps to remove the cache in question from the search engines.”

It’s the latest breach of sensitive mortgage data in recent months.

TechCrunch exclusively reported in January a trove of more than 24 million financial and banking documents were left inadvertently exposed on a public cloud storage server for anyone to access. The data contained loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life.

Updated with remarks from First American and new details about the cached data.