885M Mortgage, Title Docs Exposed in Data Breach

May 28, 2019

About 885 million mortgage documents dating back to 2003 have been exposed by a data breach within First American Financial Corp., a title insurance provider, the KrebsOnSecurity news site reports.

The breach exposed bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images online, the security site reported.

“On May 24th, First American learned of a design defect in one of its production applications that made possible unauthorized access to customer data,” First American released in a statement to USA Today. “Security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.”

First American says it addressed the breach immediately and shut down external access to the application. “We are currently evaluating what effect, if any, this had on the security of customer information,” the statement read. “We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.”

Brian Krebs, author of the report, says that he was contacted by Ben Shoval, a Washington state real estate developer, about the possible leak of millions of records on a portion of First American’s website. Anyone who knew the URL for a valid document at the website could view other documents by modifying just a single digit within the link, the report said.

“The exposure suffered by First American underscores the need for a comprehensive approach to securing systems and networks, especially areas that house sensitive information,” Bob Rudis, chief data scientist at the Rapid7 Labs security company, told USA Today. “Firewalls, anti-malware solutions, and other security-specific controls are not sufficient to reduce unwanted exposure.”

Security analysts recommend that until the full impact of the latest breach is discovered consumers can monitor their credit reports regularly and put a freeze on all new credit applications. Also, they can use tools by their financial organization to ensure no activity is occurring on their accounts without their knowledge.