After exposing 885 MILLION full datasets title insurance records, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images, which covers the last 16(!) years, the estate title insurance giant First American Financial Corp issued this statement:
- “First American has learned of a design defect in an application that made possible unauthorized access to customer data.”
- Translation: We have used a cobbled together web page which had no security audit in any way (because if we had, this would have been checked in the first place, because breaches exactly of this kind are the most common in “the industry” and happened multiple times before on other big sites. If you were logged in to their website, you needed only to manipulate the sequential number in the address bar to get access to any other account. Of course nobody expects to change one number in a 9 digit sequential number to see if there is another record. We are totally surprised! Such things were previously unheard of … NOT!
- “At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.”
- Translation: Now that we’ve got caught with it, we try some damage control. (Damage control for the company, because the damage for the users and and for the customers of the users already happened in the past)
- “The company took immediate action to address the situation and shut down external access to the application.”
- Translation: We did not yet fix it, but now that we’ve got caught, we took it offline (which we wouldn’t have needed if we had a full security audit of the public facing side of our site in the first place).
- “We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
- Translation: We are frantically searching for someone else we can blame – preferably an outsider. Of course we know that all of the data was unencrypted facing the web and evaluate how we can get out of it, because if enough people sue us we might see a billion dollar fine. Other than that: No Comment until it’s all water under the bridge.
Other translations of other breaches would be welcome.
Edit 2019-06-03: Meanwhile New York regulators are investigating the a weakness as the first test of the state’s strict new cybersecurity regulation. That regulation, which went into effect in March 2019 and is considered among the toughest in the USA, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.
Let’s hope they use it to send a strong signal and give them a decent rap on their knuckles.
Edit 2019-07-02: It seems that, according to Bloomberg, a Class Action Lawsuit was filed. That can become expensive …
Edit 2020-06-18: New York State Department of Financial Services (DFS) found, the vulnerability was discovered in a penetration test First American conducted on its own in December 2018 and they did not fix it or shut it down before it went public in May 2019. The DFS was not amused:
Respondent’s mishandling of its own customers’ data was compounded by its willful failure to remediate the Vulnerability, even after it was discovered by a penetration test in December 2018.
Source: https://www.dfs.ny.gov/system/files/documents/2020/07/ea20200721_first_american_notice_charges.pdf (Page 2 at the bottom)
Penalty total since 2000: $14,145,524
… now we know what a full data set of an average First American customer is worth: 585,000,000 / 14,145,524 ≅ 2.504 ct
Source: Violation Tracker
Photo by Cytonn Photography on Unsplash