First American Title/Financial Corp. May Have Leaked 885 Million Customer Records

Title company faces class action lawsuit for its apparent negligence

By Jeff Sorg, OnlineEd Blog

(May 29, 2019)

A class-action lawsuit is already filed in California after Brian Krebs, a cybersecurity expert, reported 885 million First American files were available without authentication to anyone with a web browser. The data allegedly included bank account numbers, social security numbers, and financial and tax records.

First American was ultimately notified by Brian Krebs of KrebsOnSecurity, who was contacted by a real estate developer in Washington state who said he’d had little luck getting a response from the company when told by him that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link. Brian Krebs posted on his web site, “KrebsOnSecurity confirmed the real estate developer’s findings, which indicate that First American’s Web site exposed approximately 885 million files, the earliest dating back more than 16 years. No authentication was required to read the documents.” *

In their complaint**, Gibbs Law Group alleges, “First American made it incredibly easy for the public to access this private information by failing to implement even rudimentary security measures. Suppose that you are a First American customer. The company provides you with a URL to access your documents on its website. That URL might end in “DocumentID= 000000075.” Now suppose you want to access someone else’s personal file. Type the same URL but alter the Document ID number by one digit—say, “DocumentID=000000076”—and someone else’s personal file will appear. Change the numbers again (and again), and you will reveal still more personal files.”

* Read the entire Brian Krebs posting available on his website here: https://krebsonsecurity.com/2019/05/first-american-financial-corp-leaked-hundreds-of-millions-of-title-insurance-records/

** Class action lawsuit Gritz v. First American Financial Corp., 19-cv-01009, U.S. District Court, Central District of California (Santa Ana).

###

OnlineEd blog postings are the opinion of the author and not intended as legal or other professional advice. Be sure to consult the appropriate party when professional advice is needed.

For more information about OnlineEd and their education for real estate brokers, principal brokers, property managers, and mortgage brokers visit www.OnlineEd.com.

All information contained in this posting is deemed correct as of the date of publication, but is not guaranteed by the author and may have been obtained from third-party sources. Due to the fluid nature of the subject matter, regulations, requirements and laws, prices and all other information may or may not be correct in the future and should be verified if cited, shared or otherwise republished.

OnlineEd® is a registered Trademark.