Estimated reading time: 1 minute, 59 seconds

What Does First American’s Massive Data Compromise Mean?

First American Financial, one of the biggest U.S. real estate title insurers, confirmed on May 24 that an application design flaw had left customer data vulnerable to potential unauthorized access. The impact of the disclosure has been substantial, but the extent of any potential breach is unclear.

First American told Reuters it had shut down the application and was assessing the effects of the flaw. “We are currently evaluating what effect, if any, this had on the security of customer information,” the company said in a statement. “We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.”

First American’s statement came in response to a report earlier that day by security blog Krebs on Security. According to the report, 885 million customer records—including bank account numbers and statements, mortgage and tax documents, Social Security numbers, wire transaction receipts and driver’s license images—were exposed on First American’s website. Anyone who could figure out the company’s URL format could potentially have accessed the documents.

After news of the security defect, First American’s stock suffered its biggest decline since 2011, according to National Mortgage News. The company was also hit with a class action lawsuit on behalf of clients who claimed that First American put them at risk for identity theft, reports Bloomberg.

The design flaw at First American, where a link to sensitive information is created without a way to verify that only the intended party can view it, is called Insecure Direct Object Reference (IODR) and is fairly common, reports Forbes. Manually accessing documents exposed by IODR is labor- and time-intensive, but bots could potentially have harvested the data, using a “low and slow” attack—collecting information gradually rather than all at once—to avoid devention. Advanced Persistent Bots (APBs), which represented about three-fourths of “bad bots” traffic last year, frequently feature in such attacks, according to research by Distil Networks.

While it remains to be seen whether any customers were actually harmed by the breach, the possible damage is far worse than in many other cyber attacks, given the sensitivity of the data, notes Wired. According to the magazine, the compromise drives home just how far companies still have to go with cybersecurity: “Perfect security is impossible, but the stakes are incredibly high and many large organizations still overlook basic errors.”

Read 3465 times
Rate this item
(0 votes)

Visit other PMG Sites:

PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.