First American Leaks BIG: 885M Customer Files Exposed

First American Financial (NYSE:FAF) is the latest huge corporation being cavalier with your data. Its website has been serving up title documents to anyone who can count.

In the most basic of security blunders, FirstAm exposed the private data of people buying real estate or refinancing—with zero authentication. Yes it’s our old friend, the insecure direct object reference.

In other words, change a number in a web link and you get someone else’s data. All you need to do is add 1.

And, wouldn’t you know it, FirstAm’s public response includes a classic sorry-not-sorry statement from the CEO. In today’s SB Blogwatch, we count to 885 million.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Creepcomplete.


FAF IDOR Fail

What’s the craic? All aboard the Brian Krebs cycle—“First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records”:

 The Web site for [the] Fortune 500 real estate title insurance giant … leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by [me]. The digitized records [included] bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.

Earlier this week, [I] was contacted by a real estate developer … Ben Shoval … who said he’d had little luck getting a response from the company about what he found: … firstam.com was leaking … hundreds of millions of records. He said anyone who knew the URL for a valid document … could view other documents just by modifying … the link.

No authentication was required. … Modifying the document number in [the] link by numbers in either direction yielded other peoples’ records before or after the same date and time, indicating the document numbers may have been issued sequentially. … The earliest document number … referenced a real estate transaction from 2003.

A low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker. [It] would be a virtual gold mine for phishers and scammers.

Business Email Compromise … scams are the most costly form of cybercrime today. [It] would give fraudsters a constant feed of new information about upcoming … transactions — including the email addresses, names and phone numbers of the closing agents and buyers.

MSMsplain it to normies? Nicole Perlroth and Stacy Cowley call it a “Security Gap”:

 The incident was the latest example of an under-the-radar company that retained enormous amounts of sensitive personal and financial data but was not effectively protecting that information. [But] organizations have paid little price for their security mishaps. … A study found that credit agencies actually profited after the Equifax breach … $10 freezing fees had added up to about $1.4 billion in revenue for the credit agencies, including Equifax.

In a presentation to investors in 2015, Dennis J. Gilmore, First American’s chief executive, was asked about cybersecurity: “We take it very, very serious and first of all, we structure our databases and our operating systems. … It’s an issue that we continue to spend a lot of time on both operating at the board level and at the committee level, something we take very serious and we watch very, very closely.”

O RLY? “Very, very serious”? Robert Lemos says it “Highlights Importance of Verifying the Basics”:

 A simple-to-exploit vulnerability … that could have resulted in the theft of hundreds of millions of sensitive records underscores the importance of verifying basic security measures and implementing secure programming practices. … The basic error is a major misstep for the financial firm.

The fix: teaching developers the top 10 security issues and frequent testing.

What does the $8.4 million-a-year CEO have to say for himself? DJ Gilmore spins via his PR minions—“First American Financial Comments”:

 ”We deeply regret the concern this defect has caused. … We are thoroughly investigating this matter and are fully committed to protecting the security, privacy and confidentiality of the information entrusted to us by our customers.”

The company is working diligently to address the defect and restore external access. … There is no indication that any large-scale unauthorized access to sensitive customer information occurred. … If the investigation shows that any confidential information has been compromised, the company will notify and provide credit monitoring services to the affected consumers.

So he “deeply regrets the concern,” but not the actual security defect? Here’s Arnold Lee—@NewAge2012dotTV:

 Another case where corporate treats IT as a cost center and not a necessary component like legal compliance.

Tone-deaf sorry-not-sorry aside, will he suffer? Chris Hugar has bitter experience:

 I’m retired now. … I worked at banks all my adult life. One thing never changed.

After a catastrophe, no biggies would be held accountable but many of the worker ants would suffer. Some would be fired.

The biggie would be on TV and claim the problem was solved. Many worker ants would have a very difficult time finding new employment since the HR department would hand out the company line instead of the truth.

ikr? Abbas Ali—@abbashaiderali—absolutely agrees: [You’re fired—Ed.]

 How much more irresponsible could they have been?! And of course there will be exactly zero consequences to them.

Management at @FirstAm will make hollow statements about how seriously they take security and we’ll all move on to the next security breach.

But at least “security, privacy and confidentiality are of the highest priority,” for FirstAm, eh? This Anonymous Coward has “had enough”:

 Companies need to shut the **** up with the doublespeak. … No, you clearly do NOT take the “security, privacy and confidentiality” of your customers seriously.

I might even have a shred of respect if they came out and said, “Yeah, we really ****ed this up bad. We have fired everyone who had anything to do with any decision which led to this, up to and including the CEO.”

We need to start seeing the corporate death penalty for these things. It’s the only way companies will ever “take your privacy and security seriously”.

What does FirstAm do, anyway? LDoBe just asked the same question:

 Just read up on title insurance because I didn’t know what it actually was.

Turns out it’s a necessary thing, due to the US having a stupid and lazily built legal framework for real estate titles. [It] appears to be designed to generate lawsuits as there’s no governmental authority that keeps track of conclusive evidence as to who owns what land.

Seems to me like a way to fix it would just have a national registry everyone’s required to use in addition to legally making it the final authority on who owns what. As I understand it that’s how it works in most of the world. And eventually all the land will be accounted for and we wouldn’t need to waste billions of dollars insuring transactions because a few million dollars would run the bureaucracy that replaced the current system.

Meanwhile, Brian in Pittsburgh—@arekfurt quips:

 Equifax: We’ve exposed the [PII] of more Americans then any other single entity ever.

First American: Amateurs. Stand back and hold my beer.

And Finally:

Creep but Using Google Autocomplete

Hat tip: b3ta


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: First American Financial Corp.

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi