Real estate title insurance company exposed 885,000,000 customers' records, going back 16 years: bank statements, drivers' licenses, SSNs, and tax records


First American Financial Corp is a Fortune 500 company that insures titles on peoples' property; their insecure website exposed 885,000,000 records for property titles, going back 16 years, including bank accounts (with scanned statements), Social Security numbers, wire transaction receipts, scanned drivers' licenses, tax records, mortgage records, etc — when notified of the error, the company (which employs 18,000 people and grossed more than $5.7B last year) closed the misconfiguration.

It's not clear whether or which records were compromised.


The error was in the company's customer portal, which anyone who ever closed a real-estate purchase mediated by First American would have accessed. All it took to gain access to other peoples' records was to change the customer number in the portal, adding or subtracting one to step through every customer on file, back to 2003.


KrebsOnSecurity confirmed the real estate developer's findings, which indicate that First American's Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents.

Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers. Ben Shoval, the developer who notified KrebsOnSecurity about the data exposure, said that's because First American is one of the most widely-used companies for real estate title insurance and for closing real estate deals — where both parties to the sale meet in a room and sign stacks of legal documents.

"Closing agencies are supposed to be the only neutral party that doesn't represent someone else's interest, and you're required to have title insurance if you have any kind of mortgage," Shoval said.

First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records [Brian Krebs/Krebs on Security]

(via The Verge)