Title Company Exposes 16 Years of US Mortgage Data
First American Mortgage Corp. Left Documents on Web Without Authentication
By: Jeremy Kirk
If there's one transaction where a person's financial life is laid bare to many external parties, it's buying a house. The sheer number of documents that get shuffled around is a huge potential score for an identity thief.
And on Friday Brian Krebs revealed an astounding data exposure at First American Financial Corp. of Santa Clara, California, which is one of the largest providers of title insurance and settlement services for home buyers in the U.S. The company had $5.7 billion in revenue in 2018, according to its annual report.
Krebs was tipped off by real estate developer Ben Shoval that the company's website had exposed 885 million housing-related files going back to 2003.
The documents included wire transactions with bank account numbers and post-dated PDFs for upcoming closings. Other documents included tax records and drivers license images. The data is now offline.
Still in Cache
A redacted document posted by Krebs labeled "seller information" includes the person's name, marital status, physical address, email address, mortgage lender and Social Security number.
Shoval tells Krebs he discovered that with a valid link to American First's data trove, incrementing a single digit in the link could bring up other documents without any authentication. The type of vulnerability, an insecure direct object reference, is an elementary but common one in web applications.
"The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data."
—First American Mortgage Corp.
Shoval notified Krebs after failing to receive a response from First American. By Friday afternoon EDT, First American had disabled the site.
But TechCrunch reports that as many as 6,000 documents are still in the cache of search engines, although First American was taking steps to get that data removed.
Krebs writes it appears that the files are organized sequentially, with the earliest records having a lower nine-digit number than the later ones. He found one "000000075" - which appeared to be from 2003.
A First American spokesman tells ISMG "the company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information."
The spokesman says First American has hired a forensics firm to determine if there was "any meaningful unauthorized access to our customer data." The company didn't specify how many people may be affected.
First American didn't answer questions as to whether it planned to notify those whose data was exposed or regulators.
As Krebs points out, the risk is that attackers discovered the data and slowly accessed it so as not to trigger anti-bot detection mechanisms. But another problem is that access logs are typically discarded. If First American's data exposure has been a multiyear problem, there'd be no forensic data left, making it difficult to assess the ongoing risk.
Having your company’s sensitive data leaked is a nightmare! Even more so if your clients’ and customers’ information is exposed as well.
A few of the best ways to avoid such tragedies are: to make sure your company it up to date with all the latest government regulations concerning the security of business information. Secondly, making sure that your devices are disposed of properly. This will help to avoid the availability of accessing residual data on old drives. And finally, seeking the certified services of a professional company that can offer you secure data disposal and the guarantee of destroyed data retention devices.
Interested in these services, Contact us or Call: 240-529-1010 for more details.
e-End is a R2 and NAID certified electronic recycling facility that also offers secure data destruction and IT Asset Disposal/Recovery solutions. Contact them today.