May 24, 2019

The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

First American Financial Corp. Image: Linkedin.

Santa Ana, Calif.-based First American is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in more than $5.7 billion in 2018.

Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he’d had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.

And this would potentially include anyone who’s ever been sent a document link via email by First American.

KrebsOnSecurity confirmed the real estate developer’s findings, which indicate that First American’s Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents.

Many of the exposed files are records of wire transactions with bank account numbers and other information from home or property buyers and sellers. Ben Shoval, the developer who notified KrebsOnSecurity about the data exposure, said that’s because First American is one of the most widely-used companies for real estate title insurance and for closing real estate deals — where both parties to the sale meet in a room and sign stacks of legal documents.

“Closing agencies are supposed to be the only neutral party that doesn’t represent someone else’s interest, and you’re required to have title insurance if you have any kind of mortgage,” Shoval said.

“The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business. You give them all kinds of private information and you expect that to stay private.

Shoval shared a document link he’d been given by First American from a recent transaction, which referenced a record number that was nine digits long and dated April 2019. Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time, indicating the document numbers may have been issued sequentially.

The earliest document number available on the site – 000000075 — referenced a real estate transaction from 2003. From there, the dates on the documents get closer to real time with each forward increment in the record number.

A redacted screenshot of one of many millions of sensitive records exposed by First American’s Web site.

As of the morning of May 24, firstam.com was returning documents up to the present day (885,000,000+), including many PDFs and post-dated forms for upcoming real estate closings. By 2 p.m. ET Friday, the company had disabled the site that served the records. It’s not yet clear how long the site remained in its promiscuous state, but archive.org shows documents available from the site dating back to at least March 2017.

First American wouldn’t comment on the overall number of records potentially exposed via their site, or how long those records were publicly available. But a spokesperson for the company did share the following statement:

“First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

I should emphasize that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).

Nevertheless, the information exposed by First American would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

Armed with a single link to a First American document, BEC scammers would have an endless supply of very convincing phishing templates to use. A database like this also would give fraudsters a constant feed of new information about upcoming real estate financial transactions — including the email addresses, names and phone numbers of the closing agents and buyers.

As noted in past stories here, these types of data exposures are some of the most common yet preventable. In December 2018, the parent company of Kay Jewelers and Jared Jewelers fixed a weakness in their site that exposed the order information for all of their online customers.

In August 2018, financial industry giant Fiserv Inc. fixed a bug reported by KrebsOnSecurity that exposed personal and financial details of countless customers across hundreds of bank Web sites.

In July 2018, identity theft protection service LifeLock corrected an information disclosure flaw that exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness exposing millions of customer names, email and physical addresses, birthdays and partial credit card numbers.


109 thoughts on “First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

  1. KoSReader6000000

    There are number of good comments in this tread.

    No Security : ‘”Chief Executive Officer at FIRST AMERICAN FINANCIAL..made $8,402,957 in total compensation…they should drop the comp $1M or so and hire some security.”‘

    I agree that is A lucrative compensation package but he leaves to a hole in their security – to the detriment of his customers. I wonder if the CEO’s house is on one of those exposed Urls.

    A.J. Soria: “This was completely preventable and reeks of gross negligence”

    I have to agree.

    Disgruntled FirstAm Customer: “Completed forms are all encrypted, scanned, and the hardcopies are thrown away… After the transaction is done, FirstAm has nothing left afterwards except the last 4 digits of a customer’s SSN…I guess she forgot to say, “FirstAm employees cannot access the encrypted copy, but everyone else on the internet can.””

    I feel for you. I have been scammed by non-written verbal assurance before. Clearly, 16 years worth of data indicates that is not true.

    Gunter Königsmann: ‘Sequential numbers in URLs, probably. Not bad by itself… But add any additional bug to it and you’re in deep trouble.”

    That is a big problem. I will talk about that in a bit.

    Jennifer: “…another misconfigured bucket? … This is why the US needs GDPR. There’s no privacy without protection.”

    Yes. It seems so.

    I took a look at FA job opening page and its source code seems to indicate the content generator is WordPress. It is somewhat popular – even the White House used it at one point.

    I used to do some Top of the LAMP stack work with WordPress and other CMS long ago with the serialization of rows of data thing [or Problem].

    I think for WordPress “serialization” data came in around WordPress ~ version 2.5 or higher [Lamp is. Linux, Apache, MySql, Php – a stack of software used for CMS].

    Let’s talk honestly, if First America used a serialization Content Management System or CMS [or CRM] years ago – would a simple plug-in such as Prevent Direct Access have helped keep First America s customer’s data safe?

    It is not an expensive plug-in and there are open source versions which are free of cost.

    WordPress plug-in description:

    “Prevent Direct Access provides a simple way to protect your WordPress files as well as prevent Google, other search engines and unwanted users from indexing and stealing your hard-to-produce ebooks, documents and videos.” -WordPress org

    wordpress[.]org/plugins/prevent-direct-access/

    Any database experts care to comment on this topic?

    1. Chris Hugar

      I worked at banks all my adult life. One thing never changed. After a catastrophe, no biggies would be held accountable but many of the worker ants would suffer. Some would be fired. The biggie would be on TV and claim the problem was solved. Many worker ants would have a very difficult time finding new employment since the HR department would hand out the company line instead of the truth. I’m retired now and I had the pleasant experience of seeing some of the biggies later shoulder the blame and lying HR sycophants on the street. Tough luck, chuck.

      1. Moike

        > After a catastrophe, no biggies would be held accountable but many of the worker ants would suffer.

        As proof, mark your calendars. Check back here in a year to see the pay increase that Dennis Gilmore has received for allowing this poorly reviewed security breach to continue.

    2. Devyn

      Yes, if they’re just plain uploading the files to WordPress then that plugin would do it. However, honestly, that seems like an immense amount of content to manage with WordPress, which isn’t really meant for that. For such a large company I’m sure they could afford something more appropriate.

  2. Chris Butson

    The New York Times published this story on May 24 (https://nyti.ms/2EwrXuq) and quoted Dennis Gilmore, CEO of First American, from a presentation he gave in 2015 on cybersecurity. He is quoted as saying “We take it very, very serious”, though apparently not seriously enough to use proper grammar (or, you know, security).

  3. Manec

    world is run by criminals.
    Its all Same global mafia.
    Big organizations and corporations are just the legit fronts.
    Big guys who run the show Will drink Champagne and small Ghetto criminals Will Take a blame.
    There is no justice its just power.
    Mafia Existing everywhere we Don’t see it but More bigger things or success You Want the More You need to deal with mafia.

    Until Good people belive that nice guys with nice suits and smiling faces Nothing gona change.
    WHO fault it is? Don’t complain If You Don’t undestood how the world Works.

    1. PattiM

      I will say Yuval Noah Harari stated in his review of the history of mankind that, “There is no justice in history” – meaning exactly that. There has been no known “just” civilization.

  4. Otto

    I have a beef about the company’s statement, quote:

    “First American has learned of a design defect in an application that made possible unauthorized access to customer data.”

    What the company deems authorized/unauthorized access has to be reflected in the system settings. Based on the access control setting to this data, “Everyone” had access to all of the records.

    How this setting did not raise a “red flag” is beyond me. Maybe it did for programmers and they provided alternatives, but the company deemed it too cumbersome to the email recipients and/or too costly to implement.

    At the very least, the company should have created a GUID for each sent email and use it for controlling access to the record, obfuscate the url, time limit access to the record, etc. While not the best way to secure records accessible over the web, it certainly beats “Everyone” access setting.

    When a design does not even account for the basic security principals, it’s not an error. It’s by design…

    1. SkunkWerks

      This is a common sort of weasel-wording, usually coming from people too dense to understand technical matters at anything more than a superficial level, but cognizant enough to realize what it may mean in terms of culpability.

      ‘It was a computer problem! I mean, computers! Amirite?! Who can understand this stuff? So hard…’

      “How this setting did not raise a “red flag” is beyond me.”

      Classic Security By Obscurity, most likely.

      There probably were some knowledgeable folks raising red flags inside the company- for months or even years- and those people were probably hit with the mollification that “well, yeah, they could do that, but no one would ever have any reason to…”

      It’s not just a fool and his money that are soon parted these days.

  5. Readership1

    Some of the spam comments are almost convincing.

  6. Pradeep Singh

    The SVP/CIO is a Psych major. Anyone remember Equifax and the CISO being a Music major?…

    1. HookedOnPhonics

      Some of the best minds in computer science didn’t study computer science in college. It isn’t even uncommon for someone to major in a completely unrelated field.

      1. Hooked On Majors

        And probably more unqualified than successful. Psych major? Ha ha

    2. Hooked On Drugs

      What does this have to do with this article ?

      1. Steven

        pay attention,, it was the price of tea in China and Egypt

    3. Eye Sore

      I completely agree with your observation @ Pradeep . I did have the same sentiment for the CIO where her Major in Psych is so not justified for that position. Reason here is sometimes the C-Levels are so blind sided that they don’t even realize it’s a “Square Peg In a Round Hole”. Like someone said it’s a company for Manager’s but IT cannot work in this Fashion. The top Brasses in IT do need to have more than just Management Skill’s. They need to be proficient at Technology too to be a legit Tech Leader.

      The CISO also seems to be the same as I do not see any solid IT educational background. Majoring in Forensic Science still does not qualify for a Legit CISO. I would rather get a 10th grade Ethical Hacker for that position who may do a much more Fab Job.

      @Dennis – High time for a Overhaul of your Top Exec’s(including VP’s and Directors) before they Sink your Ship.

    4. Recent FA Emp

      The new CIO is a liar and a corp shill she is a proven liar over and over again. When you layoff 20% of the workforce this is bound to happen.

  7. Cheshire

    Sigh…..this makes us look worse…whats our budget on Defense Spending…getting rolled…Those records should have been taken off line and and properly archived. Grab the root build.pop
    Grab a texteditor
    then just —– /data/data/*hostdbip*.settings/

    Modifying root gloabl seeings is not skin of my a$$
    Grab that RazorSQL editor then its pwn pwn pwn pwn mod mod mod till I get that settings storage place it in a different field so I go undetected and leeeeeech till data is delivered…..

    Hate to hear stories like this….weak admins….weak sec…weak CTO’s….weak compliance, weak weak weak…we look like were the cleveland browns in the IT game…..sigh….

  8. Billie Powers

    This is a complete fraud upon all of us who have ever dealt with this company. I have been fighting for years Against the crimes involving identity theft and usurpation and have hundreds of pages of documents and emails shared with fnf attorneys and employees.
    This is a good way to do some perging of documents and claim no responsibility? Unbelievable.

  9. Charles

    How about telling all us potential victims how to find out if its our personal information First American has thrown to the crooks?

    1. timeless

      We won’t know until First American tells us.

      Unless they happened to also leak their web access logs, there’s really no way for an outsider to know.

      And they might not even retain sufficient web access logs to be able to answer the question.

      In general, it’s best to assume that all data you’ve shared w/ anyone ever is somewhere that someone you don’t really want to have access to it will be able to access it.

      Most of the data here is probably best used to impersonate you.

      If you’re seriously concerned, the best protection is to enable 2FA on everything (you should do this anyway) and if possible demand in-person verification (not over the phone…).

      Also, for any transaction over say $1,000 if you can force two independent people to sign off and have them properly (* this is hard) verify transactions (using historical out-of-band communication mechanisms) that would be good for the world.

  10. Gene Siciliano

    This is scary. Especially since I am currently involved in a real estate transaction in which First America is the facilitator, the escrow office, and the holder of our money. If we get through this one okay there will be a different agent for the next one.

  11. Povl H. Pedersen

    I can only ask myself, how often have they had a pen-tester test the sites security ?
    Likely never.

    I am in GDPR-land, and we do tests, internal or external. and it is a 2-digit number of years ago I last saw anything resembling sequential letters/numbers. If it is not an UUID I am suspicious. If you can log in with an order number + e-mail address then I reject the solution.
    Since GDPR we have removed access to much customer data from the Internet, and completely stopped collecting/keeping other.

    The USA needs GDPR. But it would kill Facebook, Google and other if they can only collect data they get approval for collecting, and can not resell it without prior consent, and all purchasers of data will need to have a “business releationship” with the subject as well. And only use the data for the purpose for which it was collected.

    1. Ooh I Like Cereal

      “The USA needs GDPR. But it would kill Facebook, Google and other if they can only collect data they get approval for collecting”

      Man, you hit the nail on the head right there. I say “bring it on”. I would love to see Facebook, Google, and the like die off, though, it will never happen. The tech giants you listed are receiving pretty hefty fines right now from GDPR and other privacy organizations, but you’re right, we need some sort of standard that needs to be enforced. There is a complete disregard for their users’ privacy and it’s disturbing that they are essentially getting a slap-on-the-wrist. How Zuckerberg is still employed is beyond me…

    2. Dfg

      They wouldn’t even Die. Google lets you control what they keep on you, but if you want their service to work well you need to keep some things on.

      Which makes sense .. if you want you assistant to help you it needs to know stuff about you and your habits (and sometimes propose some ads).

      Facebook seems to be fighting way more against GDPR so maybe they do rely a lot on selling information without the user consent, but I’m sure it wouldn’t kill Google.

  12. Mickey Deez

    The title of this post says First American Financial corp leaked — LEAKED —

    LEAKED? what…you mean peeked. You sheep, go to sleep. Its no leak if it couldn’t peek. But, you know it had to …. first sneak.
    The posts on this thread are freaks. my, oh my…I can’t wait for more. Treats.

    My question, dont these corps have….any creeds?

  13. Mike Anders

    First American may want to monitor the exposure on the Dark Web. Not sure if what is there is from this incident but certainly worth looking into. Unfortunately, I do not have the time. First American Title? Check Pastebin. Not a criticism just an observation!

  14. The Sunshine State

    Great informative article ! Didn’t get the email notification about this one last Friday ?

  15. Kiers

    Fortunately for the brave new world, software is completely EXEMPT from TORT law. Period. No liability.

  16. Hello

    Funny, I used to work at FA and if there is a group that has money, it’s the security org. Always hiring someone, new implementations, pain in everyone’s butt for every release, etc. Have you read The Phoenix Project? That’s FA. Security doesn’t realize that if they prevent things from being released, FA doesn’t make money.

    So, that group missing something as simple as this is really sad and scary. They’re so focused on moving to the cloud and laying off staff to try to be more profitable that they miss the little, and obvious things.

    FA is a bad place to work, so as a former employee who was laid off, I don’t have any sympathy. I hope this costs them…a lot.

  17. Ronald Burns

    How in the world is it that no penetration or vulnerability test picked this up???

    1. PattiM

      Thanks for that link – excellent – this seems to be the only way justice is handled in the US. I wonder who funds such expensive legal efforts in our neo-Democracy?

  18. Pat Kelly

    “At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.” SO how committed? What is the company’s commitment to ensuring the customer data is safe? Have they had an independent audit of their security controls, penetration tests, or other security audits? IS their IT outsourced? And who developed, maintained and tested this web application? Unless they have answers for these questions, the are not commited and should be sued for gross negligence. The banking industry has GLB, what do companies of PII have as a security standard?

  19. Ronald Purcell

    Thanks for the information I think I had used this company

  20. Jeremy

    It seems like PR wonks have been using this copy-and-paste statement for years: “security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.”

    The same template is used by an airline CEO at a memorial service/crash site, by a news anchor when a story was incorrect, or by a police department when there was an incident. If this was truly the case, you wouldn’t be talking about a data breach, a plane crash, a mis-spoken word, or an incident.

    I’d have more respect for them if they admitted that they’re people and their priorities were in the wrong place, it will be fixed and made right for customers.

  21. Reed Kathrein

    If you are an investor and suffered losses due this event, please contact Reed Kathrein at 510-725-3000 . Persons with non-public information regarding FleetCor should consider their options to help in the investigation or take advantage of the SEC Whistleblower program. Under the new program, whistleblowers who provide original information may receive rewards totaling up to 30 percent of any successful recovery made by the SEC.

Comments are closed.