Title Company Exposes 16 Years of US Mortgage DataFirst American Mortgage Corp. Left Documents on Web Without Authentication
If there's one transaction where a person's financial life is laid bare to many external parties, it's buying a house. The sheer number of documents that get shuffled around is a huge potential score for an identity thief.
And on Friday Brian Krebs revealed an astounding data exposure at First American Financial Corp. of Santa Clara, California, which is one of the largest providers of title insurance and settlement services for home buyers in the U.S. The company had $5.7 billion in revenue in 2018, according to its annual report.
Krebs was tipped off by real estate developer Ben Shoval that the company's website had exposed 885 million housing-related files going back to 2003.
The documents included wire transactions with bank account numbers and post-dated PDFs for upcoming closings. Other documents included tax records and drivers license images. The data is now offline.
Still in Cache
A redacted document posted by Krebs labeled "seller information" includes the person's name, marital status, physical address, email address, mortgage lender and Social Security number.
Shoval tells Krebs he discovered that with a valid link to American First's data trove, incrementing a single digit in the link could bring up other documents without any authentication. The type of vulnerability, an insecure direct object reference, is an elementary but common one in web applications.
"The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data."
—First American Mortgage Corp.
Shoval notified Krebs after failing to receive a response from First American. By Friday afternoon EDT, First American had disabled the site.
But TechCrunch reports that as many as 6,000 documents are still in the cache of search engines, although First American was taking steps to get that data removed.
Krebs writes it appears that the files are organized sequentially, with the earliest records having a lower nine-digit number than the later ones. He found one "000000075" - which appeared to be from 2003.
A First American spokesman tells ISMG "the company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information."
The spokesman says First American has hired a forensics firm to determine if there was "any meaningful unauthorized access to our customer data." The company didn't specify how many people may be affected.
First American didn't answer questions as to whether it planned to notify those whose data was exposed or regulators.
As Krebs points out, the risk is that attackers discovered the data and slowly accessed it so as not to trigger anti-bot detection mechanisms. But another problem is that access logs are typically discarded. If First American's data exposure has been a multiyear problem, there'd be no forensic data left, making it difficult to assess the ongoing risk.