First American Financial Sued Over Massive Data Breach

First American Data Breach

First American Financial Corp. Sued Over Hundreds of Millions Leaked Title Insurance Records

First American, the largest title insurance companies in the United States, is being sued over a massive data breach that exposed the financial data of millions of Americans. The leaked files contain banking details, tax returns, and personal data of millions of US home buyers and sellers who used First American. The lawsuit was filed in the U.S. District Court for the Central District of California. To read a copy of the class action complaint, click here.

In this massive data breach, 885 million files were available online with no password protection or any other authentication required to access them. The breached files are documentation gathered during real estate transactions including buyer and seller bank account numbers, Social Security numbers, financial information, income tax forms, and drivers’ license images. Email addresses, full names, as well as phone numbers of closing agents were also part of the data leak. Anyone with a link to the files could access the records using only a standard web browser like Chrome, Safari, or Firefox. The leak was first reported by cyber security researcher, Brian Krebs who was contacted by Gritz when First American would not respond to him.

Keeper Password Protection
Keeper Password Protection

The federal lawsuit is Gritz v. First American Financial Corp., et al., Case No. 8:19-¬cv-¬01009 was filed, in the U.S. District Court for the Central District of California. Pennsylvania resident David Gritz is a real estate developer in Washington state.

First American uses an online signing and documentation process for parties involved in real estate transactions. The links led to an area of their website, Firstam.com, which contained documents to be signed as well as files sent to First American as part of the closing process. Anyone with one of the file links could change one digit in the link to see millions of financial documents belonging to other buyers and sellers.

The class action lawsuit explains, “Suppose that you are a First American customer. The company provides you with a URL to access your documents on its website. That URL might end in ‘DocumentID= 000000075.’ Now suppose you want to access someone else’s personal file. Type the same URL but alter the Document ID number by one digit—say, ‘DocumentID=000000076’—and someone else’s personal file will appear. Change the numbers again (and again), and you will reveal still more personal files.” Because of this simple, serial document numbering system, First American allowed anyone to access the sensitive files of millions of customers.

Who is First American Title Company?

Home buyers are required to have title insurance if they need a mortgage to buy a property. Title insurance protects the interest of the mortgage banker. The process collects extensive documentation on both the buyer and seller including Social Security numbers, government identification, financial account statements, and tax returns.

First American provides title insurance and real estate settlement services as two separate entities. The companies are First American Financial Corporation and First American Title Company, earning $5.7 billion in 2018. The companies provide title insurance, escrow maintenance, document signing services, and financial accounting. Based in Santa Ana, California, First American employs about 18,000 people.

First American Data Breach – What to Do Next

First American shut off access to the financial documents and retained a third-party cyber security forensic firm. It is unknown who has accessed the data or if it was compromised by hackers. Part of this investigation will likely involve searching for customers’ financial records on the dark web.

If customer data was foudn to be stolen by hackers, they could easily become victims of identity theft. With so much data stored about a home buyers and sellers, First American clients could also be targets of phishing email scams. Businesses may be targeted by a costly Business Email Compromise where victims are fooled into wiring money to hackers. Armed with a single link to a First American document, BEC scammers would have an endless supply of very convincing phishing templates to use. A database like this also would give fraudsters a constant feed of new information about upcoming real estate financial transactions — including the email addresses, names and phone numbers of the closing agents and buyers.

If you were a First American Customer, you may want to:

  • Check your credit score
  • Order credit reports from all three credit bureaus – Equifax, Experian, and TransUnion. Consumers are entitled to one free credit report from each service every year
  • Look for new accounts that have been opened in your name
  • Place a fraud alert on your credit files to guard against identity theft. A fraud alert directs credit issuers and banks to verify your identity before opening new accounts
  • Freeze your credit to stop anyone from opening a new bank or credit account in your name – this includes you – until the freeze is removed
  • Enroll in a credit monitoring service

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers