On Friday, news broke on Krebs on Security that First American Financial Corp, a title insurance company headquartered in California with $5.8B in annual revenue and more than 18,000 employees, had potentially exposed millions of records of non-public confidential consumer information due to a significant flaw in their online web portal. The vulnerability was first discovered by a developer who attempted to contact First American Financial to notify them about the issue. Due to the lack of a timely response from the company, the developer notified Brian Krebs so that he could make a public announcement.
Specifically, the developer discovered that it was possible to recall documents submitted by consumers with clear details such as Social Security Numbers, bank routing information and contact information for parties to title insurance transactions. These details are extremely useful to threat actors for use in Phishing and Business Email Compromise attacks. While it does not appear that any non-public consumer information that may have been accessed as a result of this vulnerability has actually turned up online, the information was clearly visible and accessible.
While this is just another in a long string of announced data breaches, companies can and should seek to learn from it. First, when custom developing an application, formal security testing should be completed to ensure that the application addresses the OWASP Top 20 security vulnerabilities. In reference to the First American Financial Corp incident, being able to manually manipulate the URL of the website to recall documents would have been a basic vulnerability identified as part of this type of testing.
Second, companies should consider having a third party conduct annual penetration tests that include, at a minimum, testing of all public-facing applications including web portals. Such penetration tests should uncover vulnerabilities like the one identified within First American’s online environment.
Given the current regulatory environment with respect to information and data security, companies should pay close attention to any and all vulnerabilities that could result in the compromise of sensitive consumer information. This is undoubtedly one of the largest potential consumer data breaches that has occurred within the mortgage and lending industry. We will continue to monitor the extent to which this incident impacts the industry. In the meantime, other organizations should take note and seek to strengthen their security posture in an effort to avoid similar vulnerabilities and breaches.
JT Gaietto is Executive Director, Cybersecurity Services for Richey May Technology Solutions. He focuses on providing clients with critical security and regulatory compliance support, including incident response, third-party risk management, business continuity and customer and government due diligence oversight. He can be reached at firstname.lastname@example.org.