LOADING ...

885 Million Records Exposed Online: Bank Transactions, Social Security Numbers, and More

Dell Cameron May 25, 2019. 16 comments

Several million records said to include bank account details, Social Security digits, wire transactions, and other mortgage paperwork, were found publicly accessible on the server of a major U.S. financial service company.

More than 885 million records in total were reportedly exposed, according to Krebs on Security. The data was taken offline on Friday.

Ben Shoval, a real-estate developer, reportedly discovered the files online and notified security reporter Brian Krebs. Krebs said that he contacted the server’s owner, First American Corporation, prior to reporting the incident.

A leading title insurance and settlement services provider, First American is a large company headquartered in California with more than 18,000 employees. Its total assets in 2017 were reported at over $9.5 billion.

A company spokesperson told Gizmodo it learned about the issue on Friday and that the unauthorized access was caused by a “design defect” in one its production applications. It immediately blocked external access to the documents, they said, and began evaluating, with the help of an outside forensics firm, what effect, if any, the exposure had on the security of its customers’ information.

“Security, privacy and confidentiality are of the highest priority, and we are committed to protecting our customers’ information,” the company said.

According to Krebs, Shoval said that the millions of documents, which appeared to date back as far as 2003, included “all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business.”

Krebs reported that the files were accessible without any kind of authentication.

“I should emphasize,” Krebs wrote, “that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).”

[KrebsOnSecurity]

Update, 8pm: Added a statement provided by First American.

16 Comments

Other Dell Cameron's posts

Republicans Wielding Phones 'Compromised' Classified Room Used for Impeachment Hearing Republicans Wielding Phones 'Compromised' Classified Room Used for Impeachment Hearing

Republican lawmakers who stormed a secured area on Capitol Hill in an attempt to obstruct ongoing impeachment testimony by a Pentagon official on Wednesday reportedly compromised the room by intentionally bringing cellphones inside. According to multiple reports, Rep. K. Michael Conaway, a Republican of Texas and senior member of the House Intelligence Committee, was forced to confiscate the GOP...

Apple and Blizzard Slammed Over China Censorship by Top U.S. Lawmakers Apple and Blizzard Slammed Over China Censorship by Top U.S. Lawmakers

A bipartisan group of U.S. lawmakers on Friday cosigned letters sent to the chief executives of Apple and Blizzard expressing “deep concern” over recent decisions by the American companies that have negatively impacted overseas app users and gamers “at the behest of the Chinese government.”The letter to Apple CEO Tim Cook was written to express “strong concern” over Apple’s...

The Only Privacy Bill Worth a Damn The Only Privacy Bill Worth a Damn

If you ask Sen. Ron Wyden, there’s only one thing that will stop executives at Facebook and other tech giants from violating their users’ privacy: the taste of prison chow.Multi-billion dollar fines, after all, don’t seem much of a deterrent . After Facebook was hit with a $5 billion fine earlier this year, its shareholders’ net worth actually increased....

Amazon Is Marketing Face Recognition to Police Departments Partnered With Ring: Report Amazon Is Marketing Face Recognition to Police Departments Partnered With Ring: Report

Amazon is marketing its facial recognition software to Florida police departments that are currently partnered with its home surveillance company, Ring—arrangements that allow police to request access to video footage captured by homeowners.Emails uncovered by an ABC News investigative team in Tampa Bay (WFTS) reportedly show that Amazon has been pushing police departments to adopt its controversial face recognition...

Suggested posts

The Only Privacy Bill Worth a Damn The Only Privacy Bill Worth a Damn

If you ask Sen. Ron Wyden, there’s only one thing that will stop executives at Facebook and other tech giants from violating their users’ privacy: the taste of prison chow.Multi-billion dollar fines, after all, don’t seem much of a deterrent . After Facebook was hit with a $5 billion fine earlier this year, its shareholders’ net worth actually increased....

Amazon Is Marketing Face Recognition to Police Departments Partnered With Ring: Report Amazon Is Marketing Face Recognition to Police Departments Partnered With Ring: Report

Amazon is marketing its facial recognition software to Florida police departments that are currently partnered with its home surveillance company, Ring—arrangements that allow police to request access to video footage captured by homeowners.Emails uncovered by an ABC News investigative team in Tampa Bay (WFTS) reportedly show that Amazon has been pushing police departments to adopt its controversial face recognition...

Hong Kong Announces Ban on Masks and Face Paint That Helps Protesters Evade Facial Recognition Hong Kong Announces Ban on Masks and Face Paint That Helps Protesters Evade Facial Recognition

The Hong Kong government has banned masks and face paint in its latest attempt to stop the pro-democracy protests that have been raging since June. The new “emergency” order was announced by Hong Kong leader Carrie Lam at a press conference today and will go into effect at midnight local time, 12:00 pm ET.The new law bans “any facial...

Fake Lightning Cables That Can Hijack Connected Devices Are Heading for Mass Production Fake Lightning Cables That Can Hijack Connected Devices Are Heading for Mass Production

Dummy Lightning cables that allow an attacker to gain remote control of computers they’re plugged into are slated to hit mass production, per a Wednesday report in Motherboard.Mike Grover, who goes by the pseudonym MG, designed the “O.MG cable” to look and function exactly like a legitimate Lightning cable made by Apple—but they are modified with hardware (including a...

House Antitrust Investigators Now Scrutinizing Google's Plans to Add DNS Encryption to Chrome House Antitrust Investigators Now Scrutinizing Google's Plans to Add DNS Encryption to Chrome

Antitrust investigators with the House Judiciary Committee are looking into Google’s plans to add Domain Name System over Transport Layer Security (DNS over TLS) to its Chrome browser, the Wall Street Journal reported on Sunday, in the latest escalation of scrutiny over the company’s business practices. The Department of Justice has also heard complaints, a source told the paper.DNS...

At Least One Theater Chain Is Increasing Security for Joker Screenings At Least One Theater Chain Is Increasing Security for Joker Screenings

We’re drawing nearer to Joker’s theatrical release, and as we do we’re seeing more theaters across the country respond to the possibility, credible or otherwise, of the film being a possible flashpoint for incel violence. Now, Entertainment Weekly reports that Alamo Drafthouse, the Austin-based theater chain (who also commissioned the Joker documentary we blogged yesterday ) which operates 40...

Report: U.S. to Sign Treaty Forcing Platforms Like Facebook to Share Encrypted Chats With UK Police Report: U.S. to Sign Treaty Forcing Platforms Like Facebook to Share Encrypted Chats With UK Police

The U.S. and UK governments are expected to sign a treaty in October that will force social media platforms based in either of the countries to “disclose encrypted messages from suspected terrorists, paedophiles and other serious criminals” to police in the other, according to the Times of London.Police in either country have restricted ability to demand user data from...

How Firefox and Chrome’s New Tech Will Better Protect Your Browsing History How Firefox and Chrome’s New Tech Will Better Protect Your Browsing History

Firefox has announced it’s making encrypted DNS-over-HTTPS (DoH) the default way of connecting to sites on the web. And this browser tech is coming soon to Google’s Chrome, too. If you’ve got no idea what any of that means, here’s what you need to know about the technology and the future of your browsing.When you type in “gizmodo.com” (or...

DoorDash Breach Exposed the Private Data of 4.9 Million People, So Change Your Password DoorDash Breach Exposed the Private Data of 4.9 Million People, So Change Your Password

DoorDash has announced that the personal data of 4.9 million people on its platform—including customers, dashers, and its merchants—has been compromised in a security breach. Now is a good time to change your password.DoorDash announced the breach Thursday in a blog post. DoorDash said it initially noticed “unusual activity involving a third-party service provider” earlier this month, at which...

Google Changing Privacy Protections for Assistant, Plans to Auto-Delete More of Your Audio Data Google Changing Privacy Protections for Assistant, Plans to Auto-Delete More of Your Audio Data

In recent months, it became clear that Google , Apple , and Amazon were all guilty of having humans review audio recordings collected by digital assistants. Today, Google’s trying to mitigate some of the backlash by updating and clarifying its policies on what it does with your audio data.In July, a Google subcontractor leaked over a thousand Google Assistant...

Language