Illustration of binary code for article on First American Financial data leak.

The leak of hundreds of millions of records by real estate title insurance company First American Financial could put the most private personal information of many American consumers at risk.

The website Krebs on Security reported late Friday that security flaws in First American’s website had exposed digitized documents related to mortgage deals dating back to 2003. The documents included everything from bank account numbers and statements to tax records and Social Security numbers. 

All the documents were available to anyone with a browser who had a link to a single document at the website, by replacing one digit in the link at a time—the files were numbered in order. No log-in or password information was needed. A real estate developer reportedly contacted Krebs on Security after discovering the problem.

First American says it immediately shut down external access to the application when it found out about the problem. But it remains unclear whether any cybercriminals noticed the flaw and used it to steal consumer information before the problem was addressed.

Security and risk management experts say the leak is an example of how even large companies often neglect to bake security into the design of their online services.

“This is Web Application Security 101,” says Michael Covington, a vice president at Wandera, a mobile security company. “With all we’ve seen in breaches over the last few years, this isn’t something you’d expect from a company like First American.”

More on Data Security

“Security was clearly not part of the design picture for them,” adds Nick Sanna, CEO of cybersecurity risk management firm RiskLens.

Consumer advocates agree. “We already knew companies are not sufficiently incentivized to protect sensitive consumer data,” says Katie McInnis, policy council at Consumer Reports. “But the leak of hundreds of millions of title insurance records by First American is egregious.” 

When contacted for comment by CR, First American directed us to a statement confirming what it called a “design defect” that “made possible unauthorized access to customer data.” The company also said that it is “currently evaluating what effect, if any, this had on the security of customer information.”

The company also noted that it has hired an outside forensic firm to determine whether there has been any “meaningful unauthorized access to our customer data.”

The details surrounding exactly what happened are still emerging, but here’s what we know so far. 

What data was included? According to Krebs on Security, the records included about 885 million files covering bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images. First American didn’t confirm the 885 million estimate in its statement.

Was this a data breach? Technically, no. This wasn’t the work of hackers. Instead, it was a very badly designed web application. In theory, anyone could have accessed the information, Covington says.  

Is there any way to tell whether cybercriminals accessed the records? If First American has audit records in place, Covington says, security professionals will be able to see which files were accessed and whether an actual attacker has combed through them or mostly just the people who discovered the problem.

What can I do to protect myself? First American has yet to offer any way for consumers to determine whether their personal information has been compromised. But there is precedent for doing that: Equifax set up a website to help people learn whether they’d been part of its massive data breach in 2017, for example.

Sanna and Covington both say they expect the company to offer free credit monitoring. In the meantime, Consumer Reports experts say that because of the many data breaches and leaks of recent years, you may also want to freeze your credit at the major credit bureaus. This will prevent criminals from taking out loans or establishing credit cards using your name and other personal data, and you can do it free of charge.