In yet another example of technology outpacing its users, an unsecured database of First American Financial has exposed hundreds of millions of records, including complete identities—names, account numbers, Social Security numbers, and much more—of American consumers. The information was compiled in a database that was left unsecured on a web-based server, meaning anyone with internet access could have potentially stumbled across it.
The ITRC currently tracks seven categories of data loss methods and is categorizing the First American Financial breach under “accidental web exposure.” This kind of data exposure is becoming all-too-common. Web servers like this one are intended to let authorized individuals access documents online. All they need is the URL, or web address, for a single document; that URL is usually shared with the intended recipient by the owner, in this case, First American Financial. But if the web server isn’t password protected or doesn’t require authentication, all you’d have to do to see any other document in the database is change a digit in the URL. That single digit would provide you access to an entirely different customer’s personal information, history, bank account numbers, SSN, tax and mortgage records, and more.
Even worse, in these kinds of breaches, there’s no way of knowing if anyone accessed them or not. In the case of First American Financial, a real estate professional discovered this flaw by mistake. When he reported it to the company but they had no response, he reported the security incident to Krebs on Security, who then confirmed it.
First American Financial is one of the country’s largest title insurance providers—meaning they’ve handled hundreds of millions of consumer records. Fortunately, a new tool can help consumers make sense of a data breach; Breach Clarity helps people who are affected by the breach understand their options and take corrective action. If any of the estimated 885 million records were actually accessed by a malicious individual and you think you may be a victim, securing your credit report with a freeze and monitoring your accounts are some of the few useful steps you can take. For its part, the company has taken steps to close off further access to these records, but isn’t offering any further information until their own internal review is completed.
The Identity Theft Resource Center and Futurion have partnered and launched a tool called Breach Clarity, which takes publicly-available data breach information and breaks down both the threat and actionable steps for consumers.