First American Financial Corp., one of the largest U.S. title insurers, may have allowed unauthorized access to more than 885 million records related to mortgage deals going back to 2003, according to a security researcher.
The flaw was outlined Friday in an article by Brian Krebs, a cybersecurity expert. Digitized records including “bank-account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and driver’s license images were available without authentication to anyone with a web browser,” he wrote.
In a statement, First American said that it learned of a “design defect in one of its production applications that made possible unauthorized access to customer data” and has shut down external access.
“We are currently evaluating what effect, if any, this had on the security of customer information,” the company said. “We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.”
Title insurers such as First American use their records and public documents to verify a seller is a property’s true owner and that it is free from liens. The companies collect a premium at the closing of the purchase and pay costs that may arise if someone disputes the new owner’s right to the property. That work means they regularly handle private information.
Ben Shoval, a real estate developer in Washington state, said he noticed the vulnerability after getting a link from First American earlier this week.
“I clicked on it and it sent me to a document that was for my transaction,” he said in an interview. “But when I looked at the link, I realized that if I just changed one number in it, it would show me other people’s private documents.”
Shoval said he tried notifying First American but received no response. Then he contacted Krebs, who was able to confirm the vulnerability and estimate its scale.
Krebs wrote in his article that he notified First American of the issue. He also noted that he didn’t have any information on whether fraudsters knew about the weakness or if any documents had been mass-harvested.
Earlier on Friday, he suggested that the leak was “truly massive.” The company’s shares fell 2.2% in post-market trading before rebounding.
A spokesman for First American declined to comment on the number of records potentially exposed or how long they were publicly available.
The exposure of the records is the latest in a series of data breaches that have affected hundreds of millions of Americans.
Last year, Marriott International said that a data breach lasting four years compromised the personal information of up to 500 million of its hotel guests. The data included passport numbers, birth dates and potentially credit card information, in addition to contact information such as mailing addresses and email addresses.
In 2017, Equifax shook the financial world when the credit reporting agency said criminals had exploited a flaw in its software to gain access to the Social Security numbers and other personal information of more than 140 million Americans.
Buhayar and Crooks write for Bloomberg. Los Angeles Times writer Laurence Darmiento contributed to this article.