Skip to main content

Millions of real estate records were publicly accessible due to lax security

Stock photo of lock and data
Darwin Laganzon/Pixabay

A major financial services company, First American Corporation, has left millions of records publicly accessible on its servers. The data included bank account details, bank statements, mortgage records, driver’s license images, and Social Security numbers, and was available to access without authorization by anyone who connected to an area of the company’s website.

The company provides title insurance and settlement services, and is a major player in the real estate and mortgage industries. The publicly accessible data was discovered by a real estate developer who reported it to the company but got no response. He then shared the finding with an online security blog.

“Closing agencies are supposed to be the only neutral party that doesn’t represent someone else’s interest, and you’re required to have title insurance if you have any kind of mortgage,” Ben Shoval, the developer who discovered the leak, said to KrebsOnSecurity. “The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business. You give them all kinds of private information and you expect that to stay private.”

As many as 885 million files were accessible, dating back to 2003. It is not known at this time how long the documents were exposed for, but they were available from at least March 2017. First American Corporation has not confirmed how many people’s data was vulnerable or whether cyber criminals could have been aware of the data before this week.

The company learned about the accessibility of the documents on Friday and reported that it immediately blocked external access to them and began an investigation into any resulting security issues.

“First American has learned of a design defect in an application that made possible unauthorized access to customer data,” a First American spokesperson said in a statement shared with KrebsOnSecurity. “At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

Editors' Recommendations

Georgina Torbet
Georgina is the Digital Trends space writer, covering human space exploration, planetary science, and cosmology. She…
GPT-4 Turbo is the biggest update since ChatGPT’s launch
A person typing on a laptop that is showing the ChatGPT generative AI website.

OpenAI has just unveiled the latest updates to its large language models (LLM) during its first developer conference, and the most notable improvement is the release of GPT-4 Turbo, which is currently entering preview. GPT-4 Turbo comes as an update to the existing GPT-4, bringing with it a greatly increased context window and access to much newer knowledge. Here's everything you need to know about GPT-4 Turbo.

OpenAI claims that the AI model will be more powerful while simultaneously being cheaper than its predecessors. Unlike the previous versions, it's been trained on information dating to April 2023. That's a hefty update on its own -- the latest version maxed out in September 2021. I just tested this myself, and indeed, using GPT-4 allows ChatGPT to draw information from events that happened up until April 2023, so that update is already live.

Read more
Robot crushes man to death after mistaking him for a box
A smart factory concept.

A robot crushed a man to death after apparently mistaking him for a box, South Korean media reported.

The tragedy occurred on Wednesday evening local time at a vegetable sorting facility in South Gyeongsang province about 150 miles south of Seoul, according to the BBC.

Read more
Amazon expands Fresh grocery delivery for non-Prime members
A person delivery an Amazon Fresh order to a customer's home.

Amazon is expanding its Fresh grocery deliveries to non-Prime members nationwide.

The company started offering the service to non-Prime members in 12 cities in August, but on Thursday, Amazon said it was expanding to locations across the country.

Read more