When businesses think of ways that poor cyber security can lose them money, they often think of hackers breaching their systems. It’s easy to picture this as a pitched battle between the cyber criminals storming the castle walls, and the defenders seeking to repel them. Unfortunately, some cyber incidents and privacy breaches occur not through the concerted efforts of the bad guys; instead they happen due to simple mistakes and negligence by a company’s own employees.
A Simple Error
On Friday, May 24, 2019, one of the largest privacy breaches ever occurred from a simple error in coding an application. Around eight hundred to nine hundred million (800,000,000 to 900,000,000) documents were made publicly accessible through the website of First American Financial Corp. First American Financial Corp. is a real estate title insurance company. The company helps home buyers and sellers through the settlement process. In doing so, they collect tons of personal information, including bank account numbers and social security numbers. They also process wire transfers.
Discovering a Breach
The breach was discovered by a real estate agent attempting to access documents in preparation for a settlement. He realized he could access large caches of documents dating back more than a decade and notified the company and several cyber security reporters. The documents, which were not protected with passwords or encrypted, included wire receipts and small business financial records, amongst other protected personal information. The company hosted many of these documents on a website the real estate agents and developers had access to. Real estate agents would receive URL links to documents; the URL links would contain long number strings that were basically document reference numbers. By merely changing the number in the URL, someone could gain access to other's documents to which they should not have access.
Concerns Following a Breach
A breach of this magnitude involving this type of information raises numerous concerns. The information could prove a goldmine for hackers to improve the efficiency of their phishing scams. It would also open up possibilities to alter wire transfer instructions so that money was diverted to the hackers’ bank accounts. The company is also likely to face significant fines and regulatory actions, not to mention private lawsuits, to remedy the loss of privacy of their customers.
Programming "Breaches" are Surprisingly Common
While the size of the breach is shocking in terms of the amount of data and the sensitivity of the disclosed information, “breaches” of this kind that result from programming mistakes rather than cyber attacks are surprisingly common. Recent other examples involve Panera Bread, Kay Jewelers, and Lifelock, all of whom unknowingly published the private information of their customers online.
Routine Testing is Vital
Incidents like these highlight the need for company to ensure they’re regularly testing their own sites and procedures to avoid accidental breaches. Along with incident response plans and purchasing cyber insurance, routine testing for vulnerabilities is a vital part of a solid cyber defense strategy.