First American Financial Corporation (FAFC) disclosed millions of sensitive mortgage documents on an unprotected website. Researchers found a website, “www.firstam.com,” which is part of the FAFC website that was unprotected and contained documents that include bank account numbers, bank statements, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images. According to researchers, anyone who knew of the link only needed a 9-digit number to be able to view a file. Anyone would be able to change the 9-digit code and access any information they desired. The files dated back more than 16 years and contained more than 885 million individual records. FAFC was notified of the issue and took the site down and then disabled external access to the application. FAFC is currently doing an internal investigation to determine the extent of the leaked data. It is unclear as to who accessed the data to date and if the information was copied.
Companies should continually review their sites and programs for possible breaches and misconfigured security protocols. Individuals should employ credit monitoring services, either through their bank or a 3rd party service to alert them to possible identity theft. This leaked information could also be used in a targeted phishing campaign. Users should be suspicious of any email that appears malicious or questionable in nature.