Photo: Spencer Platt / Getty

Several million records said to include bank account details, Social Security digits, wire transactions, and other mortgage paperwork, were found publicly accessible on the server of a major U.S. financial service company.

More than 885 million records in total were reportedly exposed, according to Krebs on Security. The data was taken offline on Friday.

Ben Shoval, a real-estate developer, reportedly discovered the files online and notified security reporter Brian Krebs. Krebs said that he contacted the server’s owner, First American Corporation, prior to reporting the incident.

A leading title insurance and settlement services provider, First American is a large company headquartered in California with more than 18,000 employees. Its total assets in 2017 were reported at over $9.5 billion.

A company spokesperson told Gizmodo it learned about the issue on Friday and that the unauthorized access was caused by a “design defect” in one its production applications. It immediately blocked external access to the documents, they said, and began evaluating, with the help of an outside forensics firm, what effect, if any, the exposure had on the security of its customers’ information.

“Security, privacy and confidentiality are of the highest priority, and we are committed to protecting our customers’ information,” the company said.

According to Krebs, Shoval said that the millions of documents, which appeared to date back as far as 2003, included “all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business.”

Krebs reported that the files were accessible without any kind of authentication.

“I should emphasize,” Krebs wrote, “that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).”


Update, 8pm: Added a statement provided by First American.

Related Links:


JavaThought Shop


JavaThought News Disclaimer:

We are not affiliated with Oracle or Oracle’s Product Java.

The text & images for each article were copied from website of the hyperlink located at the bottom link of each article.

The views and opinions expressed in this article are not necessarily those of this sites author and do not necessarily reflect the official policy or position of JT, TC, JAVA THOUGHT.

The opinions expressed in this publication are those of the authors. The aforementioned authors do not purport to reflect the opinions or views of JT, TC, JAVA THOUGHT or its members.

If you have any question or concerns, please email the site admin at: . Please allow up to 30 business days for a reply.

The above text & images were copied from the below link.