Real estate insurance company First American Financial Corp has exposed nearly 885 million sensitive customer documents dating back up to 16 years on a publicly available web page.
The company, which posted revenues of $1.3bn last quarter, provides mortgage title insurance and closing services for real estate transactions in the US. This gives it access to thousands of documents with sensitive information relating to real estate purchases. This information, including bank statements, mortgage-related records, Social Security numbers, wire transaction receipts and scanned drivers licences, was left for anyone to access without authentication.
Washington-based real estate developer Ben Shoval contacted cybersecurity reporter Brian Krebs to reveal the flaw. First American Financial had given Shoval a document link as part of a recent real estate transaction. He found that when he altered the document ID number at the end of the URL, it showed him an entirely unrelated document involving someone else's transaction. By continually altering the numbers, he could look at millions of documents dating back to 2003.
The flaw sounds like an Insecure Direct Object Reference (IDOR). This is a common programming mistake in which visitors to a URL can reference any object they like by changing its ID without needing authentication. These potentially give people access to records they shouldn't see, although there's no proof that these files have been accessed that way in this case.
First American Financial sent us the following statement:
"On May 24th, First American learned of a design defect in one of its production applications that made possible unauthorized access to customer data. Security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.
"Therefore, the company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data."
Krebs pointed out if they have been accessed, the documents would be a treasure trove for business email compromise (BEC) attackers, who use email-based social engineering against targets to convince them that they must pay large amounts in fraudulent transactions.
Mark Nunnikhoven, vice-president of cloud research at Trend Micro, said that BEC is a rising issue in the real estate market. "It's starting to target realtors," he explained. An attacker can apply a sense of urgency when posing as a realtor and try to fool a buyer into sending money to a fake account, or vice versa. The information in countless mortgage documents could help make an attack like this more convincing.
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
