First American Financial Corporation has left sensitive data of around 885 million people unsecured and exposed on its website.
First American, a U.S based company is one of the leading provider of title insurance and settlement services to the real estate and mortgage industries.
Ben Shoval, a real estate developer first spotted the issue and reported it to Brain Krebs saying that he discovered a portion of firstam.com was leaking sensitive information of people.
Anyone who has the URL for a valid document at the website can access other documents by modifying the single digit in the link.
Brain Krebs confirmed the breach and said that breach has exposed records dating back to 2003 and no authentication was required to access the documents.
The exposed data includes mortgage and tax records, bank account number and statements, social security numbers, wire transaction receipts and driver license images.
Krebs notified the issue to the company and was fixed immediately. The company refused to provide more details about the breach as the investigation was still ongoing.
“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.” said in the statement given by the company to Brian Krebs.
According to The Verge, First American has hired a third-party forensics firm to investigate the issue and find out whether anyone has improperly accessed the records.
You may be interested in reading: WhatsApp Critical Flaw Allowed Installation of Spyware on to Phones