A newly discovered design flaw on the website of First American Financial Corp., a massive publicly traded title insurance company, allowed anyone with internet access to view roughly 885 million highly sensitive real estate documents, according to a report out Friday.
The documents included an array of information including Social Security numbers, mortgage and tax records, drivers license images, bank account numbers and other things, according to Brian Krebs, an independent cybersecurity journalist and researcher, via his website Krebs on Security.
Though the security breach had been fixed as of Friday, it previously let anyone who had a link to certain documents on First American’s website access additional electronic records simply by changing a single digit in the URL.
Krebs — a former Washington Post reporter who now runs his eponymous site — wrote that he first learned that the massive trove of documents was freely available after a real estate developer contacted him to say that First American’s website was “leaking tens if not hundreds of millions of records.”
Krebs then confirmed that report and discovered that roughly 885 million documents spanning 16 years were publicly viewable. He wrote that “no authentication was required to read the documents,” some of which were PDF files that detailed upcoming real estate transactions.
Southern California-based First American provides an array of real estate-related services including title insurance for residential, commercial and developer-related transactions. The company also offers mortgage services for lenders, home warranties, trust services, and various other products.
In 2018, First American reported $5.7 billion in revenue. In its most recent earnings report, the publicly traded company described itself as “a leading global provider of title insurance, settlement services and risk solutions for real estate transactions.”
Though the company’s stock rose slightly while markets were open Friday, its share price subsequently fell more than 2 percent in after hours trading as investors reacted to news of the security breach.
In a statement to Inman Saturday, the company said that it discovered “design defect in one of its production applications that made possible unauthorized access to customer data.”
“Therefore, the company took immediate action to address the situation and shut down external access to the application,” the statement continued. “We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.”
In the meantime, Krebs wrote that he did “not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested.”
However, it would not have been difficult for bad actors to get and use the information in the First American documents, and as Krebs points out, that data would be a “virtual gold mine for phishers and scammers.”
The breach also comes amid growing concern over cyber security in the real estate industry. Late last year for example, scammers stole an entire $122,850 downpayment from an Oregon family via a phishing scheme. That same month, the National Association of Realtors reported that its members were the targets of an ongoing email scam.
Additional reports also show that such incidents are not isolated; a report in late 2017 found that escrow scams had grown by $950 million that year, and at the end of 2018 a report revealed that real estate companies had suffered an average of 54 cyber attacks in just the previous quarter alone.
The 2018 report also found that real estate companies are prime targets for cyber attacks in part because they deal with high dollar transactions that often take place online.