First American told Reuters it had shut down the application and was assessing the effects of the flaw. “We are currently evaluating what effect, if any, this had on the security of customer information,” the company said in a statement. “We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.”
First American’s statement came in response to a report earlier that day by security blog Krebs on Security. According to the report, 885 million customer records—including bank account numbers and statements, mortgage and tax documents, Social Security numbers, wire transaction receipts and driver’s license images—were exposed on First American’s website. Anyone who could figure out the company’s URL format could potentially have accessed the documents.
After news of the security defect, First American’s stock suffered its biggest decline since 2011, according to National Mortgage News. The company was also hit with a class action lawsuit on behalf of clients who claimed that First American put them at risk for identity theft, reports Bloomberg.
The design flaw at First American, where a link to sensitive information is created without a way to verify that only the intended party can view it, is called Insecure Direct Object Reference (IODR) and is fairly common, reports Forbes. Manually accessing documents exposed by IODR is labor- and time-intensive, but bots could potentially have harvested the data, using a “low and slow” attack—collecting information gradually rather than all at once—to avoid devention. Advanced Persistent Bots (APBs), which represented about three-fourths of “bad bots” traffic last year, frequently feature in such attacks, according to research by Distil Networks.
While it remains to be seen whether any customers were actually harmed by the breach, the possible damage is far worse than in many other cyber attacks, given the sensitivity of the data, notes Wired. According to the magazine, the compromise drives home just how far companies still have to go with cybersecurity: “Perfect security is impossible, but the stakes are incredibly high and many large organizations still overlook basic errors.”
