First American Financial Corporation, a leading US real estate mortgage insurer, left sensitive documents on the web without authentication.
On Friday the title insurance provider said that it fixed a vulnerability in its website that exposed 885 million records related to mortgage deals going back 16 years. Although there is no evidence that the data was accessed by criminal actors, the scale of the security lapse was massive.
The vulnerability was first reported by Brian Krebs from Krebs on Security. Krebs was tipped off by a real-estate developer who found the vulnerability. And according to Krebs, anyone with access to a web portal for the company could have gained access to documents from other customers by altering digits in the web address.
The exposed data included wire transactions with bank account numbers and post-dated PDFs for upcoming closings. Other documents included tax records and drivers license images. The data is now offline.
In a statement, First Americans said that it addressed the security laps after it was notified by Krebs.
“We are currently evaluating what effect, if any, this had on the security of customer information,” the company’s statement said. “We will have no further comment until our internal review is completed.”
Although the vulnerability had not been exploited by hackers, this incident is yet another example of an under-the-radar company that retained enormous amounts of sensitive personal and financial data but was not effectively protecting that information.