On Friday, May 24, 2019, one of the largest privacy breaches ever occurred from a simple error in coding an application. Around eight hundred to nine hundred million (800,000,000 to 900,000,000) documents were made publicly accessible through the website of First American Financial Corp. First American Financial Corp. is a real estate title insurance company. The company helps home buyers and sellers through the settlement process. In doing so, they collect tons of personal information, including bank account numbers and social security numbers. They also process wire transfers.
The breach was discovered by a real estate agent attempting to access documents in preparation for a settlement. He realized he could access large caches of documents dating back more than a decade and notified the company and several cyber security reporters. The documents, which were not protected with passwords or encrypted, included wire receipts and small business financial records, amongst other protected personal information. The company hosted many of these documents on a website the real estate agents and developers had access to. Real estate agents would receive URL links to documents; the URL links would contain long number strings that were basically document reference numbers. By merely changing the number in the URL, someone could gain access to other's documents to which they should not have access.
A breach of this magnitude involving this type of information raises numerous concerns. The information could prove a goldmine for hackers to improve the efficiency of their phishing scams. It would also open up possibilities to alter wire transfer instructions so that money was diverted to the hackers’ bank accounts. The company is also likely to face significant fines and regulatory actions, not to mention private lawsuits, to remedy the loss of privacy of their customers.
While the size of the breach is shocking in terms of the amount of data and the sensitivity of the disclosed information, “breaches” of this kind that result from programming mistakes rather than cyber attacks are surprisingly common. Recent other examples involve Panera Bread, Kay Jewelers, and Lifelock, all of whom unknowingly published the private information of their customers online.
Incidents like these highlight the need for company to ensure they’re regularly testing their own sites and procedures to avoid accidental breaches. Along with incident response plans and purchasing cyber insurance, routine testing for vulnerabilities is a vital part of a solid cyber defense strategy.