First American Financial Corp., one of the largest U.S. title insurers, may have allowed unauthorized access to more than 885 million records related to mortgage deals going back to 2003, according to a security researcher.
The flaw was outlined Friday in an
In a statement, First American said that it learned of a “design defect in one of its production applications that made possible unauthorized access to customer data” and has shut down external access.
“We are currently evaluating what effect, if any, this had on the security of customer information,” the company said. “We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.”
Title insurers like First American use their records and public documents to verify a seller is a property’s true owner and that it is free from liens. The companies collect a premium at the closing of the purchase and pay costs that may arise if someone disputes the new owner’s right to the property. That work means they regularly handle private information.
Ben Shoval, a real estate developer in Washington state, said he noticed the vulnerability after getting a link from First American earlier this week.
“I clicked on it and it sent me to a document that was for my transaction,” he said in an interview. “But when I looked at the link, I realized that if I just changed on number in it, it would show me other people’s private documents.”
Shoval said he tried notifying First American but received no response. Then, he contacted Krebs, who was able to confirm the vulnerability and estimate its scale.
Krebs wrote in his article that he notified First American of the issue. He also noted that he didn’t have any information on whether fraudsters knew about the weakness or if any documents had been mass-harvested.
Earlier on Friday, he suggested the leak was “truly massive.” The company’s shares fell 2.2% in post-market trading before rebounding.
A spokesman for First American declined to comment on the number of records potentially exposed or how long they were publicly available.