Just before Memorial Day weekend, security watchdog investigators Krebs On Security reported that First American Financial Corp. leaked 885 million files related to mortgage deals going back to 2003. These digital records, available unprotected via any web browser, were found to include personally identifying information including bank account numbers, statements, tax records, social security numbers, drivers license images and more.
Which information was leaked? Who saw it?
First American Financial Corp. is one of the country’s largest real estate title insurance agencies. Amongst other services, they act as a neutral third-party agency during the closing of real estate transactions. This task requires gathering in-depth data from both the buyer and seller. As Krebs On Security suggests, the First American leak is consistent with the depth of information frequently found in closing transactions.
The leak came to light when real estate developer Ben Shoval found a vulnerability in the URL structure used by First American: anyone with the URL for a valid document on the FirstAm.com website could view other people’s information just by modifying a single digit in the link. According to Shoval, he shared this information with First American when he discovered it, but shared it with the media after not getting a response.
While these documents were unprotected, it is unclear whether or not the links were ever accessed or used maliciously. At this point, there is no reason to believe that this data has been recorded or distributed in any large scale manner. A spokesperson for First American categorized the incident as “a design defect in an application that made possible unauthorized access to customer data.”
What has been done? How do I know if my data was included?
In response to the incident, First American also filed a report with the U.S. Securities & Exchange Commission confirming it has shut down the source of the leak. The filing also confirms that an outside forensic agency has been hired to assess how much customer information has been compromised. The results of this investigation are underway, but the company pledges to notify and provide credit monitoring services to any affected consumers and encourages American customers to visit www.firstam.com/incidentupdate for the latest security updates.
What should I do to monitor my credit and protect myself from identity theft?
Beyond staying up to date about the status of the leak, there are some actionable steps you can take if you’re concerned about the safety of your personal data.
Monitor your accounts and credit reports.
There are three major credit bureaus that issue credit reports: Experian, TransUnion and Equifax. If you don’t already have them, request all three reports. Check for any unauthorized transactions and report any fraudulent incidents. If you don’t want to do this yourself, a paid credit monitoring service will notify you about any potential suspicious activity on your accounts.
Place a security freeze on your accounts.
A freeze places a hold on your credit as an extra layer of protection against the unauthorized creation of new credit lines. It prohibits new lenders from viewing your report or issuing new lines of credit unless you unfreeze the account, usually by using a secure PIN. It’s free to place a security hold on your account with all three credit bureaus. In addition, experts suggest you should also place a security freeze with three companies that collect mortgage, banking and telecom information: Innovis, ChexSystems and NCTUE.