The website of First American exposed millions of customer documents that contained banking data and Social Security numbers
First American Corporation, one of the largest real estate and mortgage insurance companies in the US, exposed millions of sensitive documents on their official website firstam.com. The files contained sensitive details, such as bank account information, Social Security numbers, tax records, names, phone numbers, email addresses, and driver license numbers.
Security researcher Brian Kerbs was contacted by a real estate developer that noticed the flaw on the official site. It allowed anybody who received any type of document from First American to view data of other people by simply changing the number of the file within the web browser link.
According to findings, more than 885 million documents, the oldest of which are dated back to 2003, were exposed in such a way at least since March 2017. No password or another type of authentication is needed to view these records, as long as the URL is known.
Fist American is one of the largest insurance companies in the United States, with 130 years of experience. It employs more than 18,000 people and produces the revenue of $5.8 billion yearly, as per data from 2017.
It is yet unknown if cybercriminals harvested the exposed information
First American confirmed the website compromise, but it is yet unknown whether or not bad actors have misused the exposed data. Nevertheless, the financial giant immediately cut the access to the website's documents in a way that could be exploited by potential hackers. The corporation admitted the mistake in the statement:
First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed
While the access to the sensitive records is now stopped, the company confirmed that around 6,000 cached documents are still stored within the search engines, although the spokesperson claimed that First American is doing everything it can to remove this information.
Hackers could employ bots to mass-harvest the exposed sensitive data and use it for BEC scams
As described by Senior Director of Information Security Dave Farrow from Barracuda Networks, the case is a simple design flaw within the website:
Essentially, a link to a webpage with sensitive information is created and intended to only be seen by a specific party, but there is no method to actually verify the identity of who is viewing the link. As a result, anyone who discovers a link to one document can view it—and can discover any of the other documents hosted on the site by simply modifying the link.
According to Farrow, trying to access all the documents manually is time-consuming, although some attackers might be up for the challenge, considering how sensitive the exposed data is. However, things could get much worse if bad actors would make the process automated by using bots.
While company's security systems might pick up the activity if done carelessly, the “low and slow” attacks would not be spotted, and the threat actors might obtain a significant amount of data without anyone noticing. The latter method is carried out by using advanced persistent bots (APBs), which would evade common detection triggers, including mass failed login attempts and high traffic from a particular IP address.
The acquired information can be used by phishers to employ the Business Email Compromise (BEC) scams, which would allow bad actors to deceive victims into transferring funds into their accounts. This form of fraud is one of the most damaging, scoring $1.2 billion in damages in 2018.
First American did not provide any information on what customers could do to protect themselves from fraud, but experts suggest temporarily freezing their credit at credit bureaus until the incident is cleared and more information for victims is provided.