First American Left Hundreds of Millions of Insurance Records Exposed

Multiple news outlets have reported a security flaw on mortgage settlement and title insurance company First American Financial’s website that allowed public access to private client documentation when exploited.

Why is it important?

The security flaw in First American Financial’s website made its real estate transaction records susceptible to theft. It is unclear if any malicious users have already exploited it to access the records [1]. If the records have been illegally accessed prior to the software patch, the privacy and financial security of millions of the company’s clients would be compromised.

Like many similar incidents that have happened in the past, First American Financial’s security flaw reminds us of the importance of keeping security in mind when designing external-facing systems and applications.

Who is affected?

As one of the largest insurance firms in the United States, many people are expected to be affected as First American Financial is often both the buyer and lender representative of many real estate transactions in the country.

It is estimated that over 885 million customer records from the past 16 years of the company’s operation were accessible by the public [2]. The records leaked contained sensitive customer information including bank account statements, social security numbers, and copies of personal identification documents [3].

What impact might it have on people?

Malicious users with access to the sensitive data leaked may impersonate as real estate agents or other seemingly credible insurance parties and scam affected clients into wiring large sums of money to them. The same data may also be potentially used to threaten clients (e.g. threaten to sell or release information if the client does not send ransom). The exposure of personal data such as clients’ driver licenses and social security number may also lead to identity theft.

What were the causes?

The root cause of the data leak was the lack of security consideration made during software design. URL links for documents related to transactions conducted by First American Financial were sent to the company’s clients. In a given URL link for a valid document on the company’s website, the document/record number could be found and modified to access other files, as the document numbers have been assigned sequentially [2].

How might similar problems be prevented in the future?

As discussed in lectures, similar security failures can be mitigated by

• making the distributed URL links unguessable,
• utilizing cryptography to protect the data that is shared,
• authenticating users that wish to access the data with software controls such as digital signatures or login credentials,
• making client personal data unreadable after a certain length of time.

Such security faults can be prevented when consideration for security controls is done in every stage of software design. Regular security assessments should also be conducted to catch security flaws before the software is released to users.

— — — — — — — — -

References:

[1] Security blog reports that First American left hundreds of millions of records exposed. https://www.washingtonpost.com/technology/2019/05/24/security-blog-reports-that-first-american-left-hundreds-millions-records-exposed/?utm_term=.670aaf3a6ac1

[2] First American Financial May Have Leaked Hundreds of Millions of Records. https://www.bloomberg.com/news/articles/2019-05-24/first-american-financial-may-have-leaked-millions-of-records

[3] First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records. https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/