US insurers face SEC probe over web-access bungle that exposed 'up to 885 million' files

US insurers face SEC probe over web-access bungle that exposed 'up to 885 million' files

But it claims just 32 people had 'non-public' info disclosed. Eh?


The American Securities and Exchange Commission is said to be investigating a US insurance company that allegedly left 885 million personal records accessible "without authentication to anyone with a web browser".


As revealed by infosec journalist Brian Krebs in May this year, First American Financial Corporation was said to have leaked sequentially numbered documents including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and images of driving licences. The firm disabled serving of the files after being told of the leak.


Regarding the SEC's investigation, Krebs cited a letter sent to Ben Shoval, the property developer who originally noticed the leak earlier this year, from the commission's enforcement division. The letter asked Shoval to "immediately preserve, and voluntarily provide us with" any documents he had from the time of the data leak.


As we reported in May this year, the unsecured records were said to have dated back to 2003, which goes some way to explain the sheer scale of the allegations.


A class-action lawsuit (PDF) has also been under way since late May, with the lead claimant similarly alleging that First American was using sequential document numbers to display information to customers – potentially allowing anyone to change a digit or two of a URL of one insurance-related document to gain access to another belonging to a stranger.


The complaint claimed:



It took no computer sleuthing to uncover numbers that will pull personal data; Fi ..