885 Million Records Exposed Online: Bank Transactions, Social Security Numbers, and More

Photo: Spencer Platt / Getty

Several million records said to include bank account details, Social Security digits, wire transactions, and other mortgage paperwork, were found publicly accessible on the server of a major U.S. financial service company.

More than 885 million records in total were reportedly exposed, according to Krebs on Security. The data was taken offline on Friday.


Ben Shoval, a real-estate developer, reportedly discovered the files online and notified security reporter Brian Krebs. Krebs said that he contacted the server’s owner, First American Corporation, prior to reporting the incident.

A leading title insurance and settlement services provider, First American is a large company headquartered in California with more than 18,000 employees. Its total assets in 2017 were reported at over $9.5 billion.

A company spokesperson told Gizmodo it learned about the issue on Friday and that the unauthorized access was caused by a “design defect” in one its production applications. It immediately blocked external access to the documents, they said, and began evaluating, with the help of an outside forensics firm, what effect, if any, the exposure had on the security of its customers’ information.

“Security, privacy and confidentiality are of the highest priority, and we are committed to protecting our customers’ information,” the company said.


According to Krebs, Shoval said that the millions of documents, which appeared to date back as far as 2003, included “all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business.”

Krebs reported that the files were accessible without any kind of authentication.


“I should emphasize,” Krebs wrote, “that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).”


Update, 8pm: Added a statement provided by First American.


Share This Story

About the author

Dell Cameron

Privacy, security, tech policy | Got a tip? Email: dell@gizmodo.com | Send me encrypted texts using Signal: (202)556-0846

PGP Fingerprint: A70D 517E FB9A 02C9 C56E 86D5 877E 64E7 10DF A8AEPGP Key
OTR Fingerprint: 2374A8EA 6D2B7712 0D82D659 C0FE8253 A3F080FD