Millions of Personal Financial Records Exposed on Title Insurer’s Web Site

Hundreds of millions of documents and personally identifiable information related to mortgage deals from First American Financial Corp. were leaked online due to a Web site vulnerability.

According to a May 24 report by KrebsOnSecurity, personal financial information and records including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver's license images were available to anyone with access to a Web browser due to a security flaw in First American Financial Corporation’s Web site. The digitized records were available without user authentication. 

Although First American has yet to disclose the total number of records exposed to the vulnerability, an analysis of identification markers suggests that the number may be as high as 885 million.

The California-based Fortune 500 real estate title insurer would not comment on the total number of records that were potentially revealed or the length of the exposure but shared that unauthorized access to the data was due to an application design defect.

KrebsOnSecurity adds that there is no information on whether bad actors were aware of the exposure or if the documents were mass-harvested.

More than 11.6 billion personal records have been exposed in data breaches since 2005. CUNA and the state leagues have been and will continue to press Capitol Hill lawmakers to establish a national data security standard that subjects all entities with access to personal financial data to the same privacy protections as financial institutions under Graham-Leach-Bliley, and holds any entity found responsible for a data breach liable for the resulting card reissuing and fraud costs.