Over the Memorial Day holiday weekend, it was reported that First American Financial, the corporate parent of First American Title Insurance Company and Ohio Bar Title Insurance Company, inadvertently exposed over 885 million sensitive consumer-related documents online through files stored on the company’s website, www.firstam.com. The leaked information included bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, Social Security numbers and photos of driver’s licenses. All of that information, which dated back to 2003, was available without any sort of protection and could be accessed without a password.
According to Forbes Magazine, which ran a story on the data leak, rather than a breach, this information security issue was allegedly caused by simply exposing mass amounts of non-public consumer financial data online without password protection. There wasn’t a clear breach of the company’s servers or evidence that a malicious third-party gained access to files without permission. However, if a bad actor or actors was/were aware of this data leak, the compromise could be every bit as harmful as the Equifax breach of 2017. Interestingly enough, the financial stability rating firm Moody’s just announced today that they were downgrading Equifax over the 2017 data breach, which now imperils that consumer data company’s future.
What happened in the case of First American is, unfortunately, a relatively common website design error called Insecure Direct Object Reference (IDOR). Essentially, a link to a webpage with sensitive information was created and intended only to be seen by a specific party, presumably within First American. However, there is no method to actually verify the identity of who views that link. As a result, anyone who discovers a link to one document can view it – and can discover any of the other documents hosted on the site by simply modifying the link. While time intensive for the person probing the site, certain patterns can create IDOR hits. Making matters troubling for the site owners, it is nearly impossible to determine who actually saw the front door being open and what was done with the information once found.
Put aside what the Memorial Day leak means for First American’s reputation for protecting consumer data and, instead, concentrate on what that means for each of you as title agents, responsible for doing the same. We are reasserting a few good rules of the road to follow in response to the FA data leak.
Rule #1: If you are storing consumer data, especially non-public financial information and all of you are, please take every step to secure the data behind firewalls and password-protected, dual authenticated systems of defense. Have your IT contractor or employee double-check the information architecture of your systems to ensure that no data is open sourced.
Rule #2: Schedule a meeting with your IT department to discuss the First American data leak and to audit your systems against the same.
Rule #3: Review your ALTA Best Practices protocols that to make sure that you are not inadvertently exposing consumer data in any way. Report any leaks. Close them immediately.
Rule #4: If you are a First American agent, you should contact them to seek advice on how they wish to handle related consumer inquiries to this data leak. In most cases, anyone who has done business through a First American agent since 2003 would be well-advised to freeze their credit for the time being. Doing so will prevent any unauthorized parties from taking out loans or starting a line of credit in the consumer’s name without their permission. First American may have other advice. If you are an agent, contact them.