First American leaks 900 million records
First American is the largest insurance company in the United States specialising in real estate. As well as the ‘largest in the USA’ title, they can now add ‘second largest data breach in history’ to their list of accolades; second only to the Yahoo hack of 2013 that exposed 3 billion accounts.
It appears this is an on-going issue that dates back an incredible 16 years. Data leaked in the breach includes personally identifiable information such as social security numbers, bank account details and transaction records, tax records, driver’s licence images plus more.
Think for a moment what a cyber criminal can do with that. You can be sure the data will find its way into the markets of the dark web and will likely be used, amongst other uses, for identity theft for years to come.
Whichever way you look at this, it is a gigantic data leak. But what is interesting and, perhaps, frightening, the reaction of First American when it was reported to them. There, erm, was no reaction. The leak was not found on the dark web, after having first been discovered by cyber criminals, nor was it discovered by security researchers. It was discovered by a developer of real estate software, Ben Shoval from Washington state.
He discovered that, simply by changing a single number in the URL sent to him by the company to allow him to access sensitive documents, he could access the same set of documents intended for others. As a responsible developer and as you would expect, Ben contacted First American to inform them of the issue. Only when his attempts to let them know, did he contact Brian Krebs of KrebsOnSecurity, who broke the story.
It gets worse. Not only: did the available documents date back to 2003; could sensitive documents of others be accessed, simply by changing a digit in the url address; but new urls were issued with sequential numbers – making it too easy to figure out the urls sent to others and so access their documents.
Tyler Owen, Director of Solutions Engineering at CipherCloud, commented that data leaks like this have proved all too frequent in recent weeks, citing other leaks involving millions of records in just the last two weeks.
What of the Impact to First American and its customers?
The consequences of this could long and protracted. Considering all that was needed was a valid URL as a starting point, it is very likely much of this very personal data has been lost to the dark web. This situation is a probability rather than a possibility, as a class action suit has already been filed against the company in the state of Pennsylvania. And as the breach and access to the data it exposed has been traced back to 2017, targeted phishing attacks can appear all the more genuine, as the attacker will have access to genuine personal data.
First American, as you might expect, are now under investigation, in their case, by the New York Department of Financial Services (NYDFS). The have been ‘asked’ (if that is the right word) by the NYDFS how the data leak happened and what they are doing to fix it.
The NYDFS could well fine First American if the data breach is found to be ‘reckless’. Although the United States doesn’t yet have strong data privacy laws, some of the data held is of European citizens. Does that mean the European data regulator will be ‘interested’ in this. That could mean a fine of up to €20 million or, which I suspect would be far greater, 4% of their annual global turnover.
And long term growth of the company could be seriously affected. Remember that Moody recently reclassified Equifax’s credit rating to a downgraded ‘Negative’, the first time they have downgraded any company because of issues relating to cyber security.
Alex Bryson – 10th June 2019