Title insurance and settlement service company First American Financial Corporation had a security vulnerability that was allowing anybody with a web browser to view sensitive records including information such as:
- Bank account numbers & statements
- Mortgage documents
- Tax records
- Social security numbers
- Wire transaction receipts
- Driver license images
The information was accessible if you knew the URL for a valid document on the website and you could view other documents by changing a single digit in the URL to view other documents as well. Krebs On Security who notified First American about the breach after being tipped off by a reader estimates that 885 million files were accessible.
It’s currently unclear if this information was accessed by attackers/fraudsters but this level of incompetence is truly mind boggling. I’ve said it before and I’ll say it again, until the punishments for data breaches are increased they will continue to happen at an alarmingly rate.
