First American Corp. Leaked Thousands of Financial ReportsByBill Toulas-May 25, 2019.927 It was not until yesterday that the organization realized the issue while the database remained unsecured since March 2017. Because of this accident, millions of buyers and sellers lost their full financial information, as well as the associated Pii. The financial services and title insurance corporation ‘ First American Financial Corporation ‘ has spilled the milk by leaking millions of extremely sensitive data-containing documents. The documents date back to 2003 and include tax records hypothecary records with social security numbers bank account statements wire transaction receipts and even driver license scans. The leak occurred through a section of the firmstam.com website that allows anyone to access and update any document directly as long as the right Url is submitted. By having one valid Url and changing the digit at the end one could find hundreds of millions of records without any form of authentication needing to go through. KrebsOnSecurity got the initial tip from a real estate developer (Ben Shoval) who found it and reported that they had leaked at least 885 million files. Having discovered records that involved himself, Mr. Shoval tried other Urls and pointed out that the records were sequentially recorded so that something could be found easier. The records start from number 75 which relates to a transaction made in 2003 and then hit 885000000 which corresponds to records made in May 24, 2019. .928.928 The company finally disabled yesterday’s leaking website and released the following statement on the incident: “First American learned of a design flaw in an application which made it possible to access unauthorized customer data. Privacy and confidentiality are paramount at First American Security and we are committed to protecting information about our customers. The company immediately took action to deal with the situation and shut down external access to the program. We are currently investigating what impact this would have on customer information security if any. We will have no further feedback until our internal review is done. “From digging into the archive.org archives, it is clear that the documents have been available on the site since at least March 2017 so this was not exactly a timely response from First American. Now it’s difficult to say whether or not these documents were actually accessed by malicious actors, but the fact that they remained available for such a long time leaves little room for positive thought. Scammers of all kinds, particularly Bec (Business Email Compromise) actors, will delight the information contained in these documents. That said, another Fortune 500 company’s absolute irresponsibility once again illustrates the risks of trusting businesses that choose not to commit even a tiny percentage of their massive profits to data protection.