Several million records said to include bank account details, Social Security digits, wire transactions, and other mortgage paperwork, were found publicly accessible on the server of a major U.S. financial service company.
More than 885 million records in total were reportedly exposed, according to Krebs on Security. The data was taken offline on Friday.
Ben Shoval, a real-estate developer, reportedly discovered the files online and notified security reporter Brian Krebs. Krebs said that he contacted the server’s owner, First American Corporation, prior to reporting the incident.
A leading title insurance and settlement services provider, First American is a large company headquartered in California with more than 18,000 employees. Its total assets in 2017 were reported at over $9.5 billion.
A company spokesperson told Gizmodo it learned about the issue on Friday and that the unauthorized access was caused by a “design defect” in one its production applications. It immediately blocked external access to the documents, they said, and began evaluating, with the help of an outside forensics firm, what effect, if any, the exposure had on the security of its customers’ information.
“Security, privacy and confidentiality are of the highest priority, and we are committed to protecting our customers’ information,” the company said.
According to Krebs, Shoval said that the millions of documents, which appeared to date back as far as 2003, included “all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business.”
Krebs reported that the files were accessible without any kind of authentication.
“I should emphasize,” Krebs wrote, “that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).”
Update, 8pm: Added a statement provided by First American.