First American Financial Corp. Data Records Leak

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2019/05/first_american_.html

Krebs on Security is reporting a massive data leak by the real estate title insurance company First American Financial Corp.

“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business. You give them all kinds of private information and you expect that to stay private.”

Shoval shared a document link he’d been given by First American from a recent transaction, which referenced a record number that was nine digits long and dated April 2019. Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time, indicating the document numbers may have been issued sequentially.

The earliest document number available on the site — 000000075 — referenced a real estate transaction from 2003. From there, the dates on the documents get closer to real time with each forward increment in the record number.

This is not an uncommon vulnerability: documents without security, just “protected” by a unique serial number that ends up being easily guessable.

Krebs has no evidence that anyone harvested all this data, but that’s not the point. The company said this in a statement: “At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.” That’s obviously not true; security and privacy are probably pretty low priorities for the company. This is basic stuff, and companies like First America Corp. should be held liable for their poor security practices.