After a solid decade of nonstop corporate data breaches and exposures, you'd think large organizations would have at least fixed the most basic and obviously damaging types of data mishandling. But there's clearly still a long way to go. On Friday, independent security journalist Brian Krebs revealed that the real estate and title insurance giant First American had 885 million sensitive customer financial records, going back to 2003, exposed on its website for anyone to access. And while there isn't currently evidence that anyone actually found and stole the information, it was so easy to grab—and so obviously valuable to scammers—that it's hard to rule out that possibility.
Krebs reports that the exposed records included Social Security numbers, driver's license images, bank account numbers and statements, mortgage and tax documents, and wire transaction receipts—an absolute treasure trove for any scammer or identity thief. An attacker who figured out the format of the company's document URLs could have input any "record number" they wanted—beginning with "000000075," according to Krebs—and pull up the documents associated with that customer case. First American took down the site that populated the records at 2 pm ET on Friday. Krebs notified the company of the situation earlier this week.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data," the company ..