First American, the largest real estate title insurance company in the United States, just won a particularly awful silver medal. An ongoing data leak at the company appears to have exposed the transaction records of about 900 million customers, which would make it the second-largest data breach in history behind the 3 billion accounts that were impacted by the Yahoo! hack of 2013.
Brian Krebs of KrebsOnSecurity broke the story, reporting that the documents involve mortgage deals and date back 16 years to 2003. Krebs reports that the leaked documents include bank account numbers and transaction records, Social Security numbers, driver’s license images, tax records and more. The leaked documents are a treasure trove for cyber criminals in terms of both personal identity theft and business email compromise attacks.
The worst part of all this is that this devastating leak wasn’t the result of a phishing scam, or even an insecure Amazon bucket. First American appears to have failed to secure unique URLs to these documents properly, using a sequential system and allowing anyone to access customers information simply by entering the right URL into a web browser.
A particularly inexcusable data leak
This gigantic leak was not discovered by security researchers, nor did it appear on the dark web. It appears to have been discovered by real estate developer Ben Shoval of the state of Washington. Shoval noticed that simply raising or lowering a single digit in the document URL sent to him loaded sensitive documents belonging to other people. After attempting to bring the problem to First American’s attention and getting no response, Shoval turned to reporting the issue to Krebs.
The document dates at the URLs with numbers most closely matched to Shoval’s original link were also closely matched to the date of his personal documents, indicating that First American was not only allowing global access to anyone with the right URL but also issuing new URLs with sequential numbers. At least 885 million of these records were available during the vulnerability window.
Further research performed by Krebs On Security found that the available documents dated all the way back to 2003, and new documents were being generated until May 24. The company has since disabled the leaky URLs. It is unclear how long this state of affairs was in place, but Krebs reports that archive.org was able to retrieve documents from the insecure URLs dating back to as early as March 2017. It is not currently known who accessed the documents during this apparent extended period of vulnerability. First American is not commenting until an internal review is completed.
This is the sort of design defect that sounds more like something out of 1999 than 2019. As Colin Bastable, CEO of Lucy Security observed:
“This is careless and incompetent complacency, and it goes back to 2003. You might have thought that there would have been a security audit in the last 16 years, or that someone would have noticed that data attracts data thieves: ‘Hey, is all this data really secure?’ Years ago, a teenager from England managed to roam around Defense Department servers, because they had no password protection. The problem is longstanding. Out of convenience or forgetfulness, and by people making assumptions, so much data is left unguarded.
“The distributed and fragmented nature of the US property market, with its many moving parts and multiple actors having a hand in each property transaction (for a slice of the action), means that ease of access to data is given greater priority than security of the data. To cut costs, large corporations outsource many functions to third parties who all need access to the data, not unlike the US healthcare industry. Government adds to the problem by requiring multiple audit trails and adding layers of compliance. So we should not be surprised that data security is chronically impaired in the US property market. The technologies and policies and procedures have long existed to secure this type of data, but somehow it is often too inconvenient to apply them.”
While the “security through obscurity” approach of a randomly generated URL is not ideal, it is generally considered acceptable for low-sensitivity applications. For example, most readers will probably be familiar with the unique URLs that Google generates when documents and photos are updated to their storage services; the long and complex URL effectively acts as its own password. There are some key differences, however. Google’s URLs are generated by an algorithm, not sequential – the chances of altering one or two characters in a URL and being taken to a new document are astronomical. Google also allows added layers of security of customer information and access control with these URLs, giving the option of only granting access to certain pre-approved accounts. And the Google URLs consist of 40 security characters, not the mere nine seen in the First American system.
According to Tyler Owen, Director, Solution Engineering at CipherCloud:
“Unfortunately these types of data leakages are quite common. In the past two weeks we have seen multiple databases of millions of records exposed with no authentication or controls. Often times there are easy fixes for many of these breaches with the appropriate planning and right tools.”
Impact and consequences of the First American data breach
The First American data leak is likely to have a long reach and cause a lot of pain. Millions of Americans may now have their most sensitive personal financial details available on the dark web; the company also has clients in Canada and Europe that may have been exposed. First American has retained an outside security firm to determine the extent of the data leak access, but it will likely be difficult given that exfiltration was as simple as knowing the correct master URL.
A class action suit has already been filed in Pennsylvania. Given that the ability to access sensitive personal data in this way has been traced back to at least early 2017, it is quite plausible that criminal actors have already discovered this data leak and put it into use. There is certainly incentive to do so, as phishing attacks in which a real estate firm is impersonated, and specific financial details are provided are among the most lucrative and successful types.
The New York State Department of Financial Services (NYDFS) has also opened a probe of the First American data leak. At present, the department has asked First American to explain how the data leak happened and what steps are being taken to fix it. First American falls into a category of financial companies that are subject to more strict personal information data handling regulations than most (under the relatively new Part 500 terms) in the state. First American could potentially be fined if the NYDFS finds that the data leak was “reckless” in nature.
How did this happen?
As many commenters have already noted, very basic security audits should have caught this issue early. First American is also a large company with over 10,000 employees, and it seems reasonable that even non-security personnel should have noticed this issue at some point.
Adam Levin, Founder of CyberScout and author of “Swiped” says:
“A hacker only needed to guess a URL to view documents related to mortgage deals including bank account numbers, tax records, Social Security numbers, and scans of drivers licenses. First American stored a treasure trove of data that was not properly protected making them a prime target for hackers and scammers. This is yet another example of a cautionary tale of how businesses need to make cybersecurity a front burner issue and create a culture of privacy and security from the mail room to the boardroom.”
Byron Rashed, VP of Marketing at Centripetal, expanded on the issue:
“This kind of disclosure isn’t common; usually the back doors are from vulnerabilities that have not yet been discovered or patched. In this case, there was no authentication – if you stole credentials from somewhere else, you could access all kinds of account information. It’s very surprising for a Fortune 500 company to have this kind of security posture. What they should have done is what most companies do – authenticate with a password or 2-factor authentication. This so beyond a textbook example of a breach.”
The United States does not yet have a strong federal-level data privacy law, so First American is looking at a limited amount of the sort of legal blowback that usually prompts companies to keep on top of data breaches like these. They are hardly home free in terms of consequences, however. There is the class-action suit to consider, the investigation by the state of New York, and the possibility of having their credit rating outlook downgraded. Moody’s set a precedent in early May by downgrading Equifax’s credit outlook to “negative”, the first time it has downgraded any company due to cyber issues.