Home ownership is an essential element of the classic American Dream. But millions of buyers and sellers who trusted First American Financial (FAF), a major national title insurance company, just discovered a nightmare scenario.
The California-based firm admitted on May 24 that “a design defect in an application” left its customers’ personal data exposed. The leak was discovered by Washington real estate developer Ben Shoval, who reported it to Krebs on Security because he said he couldn’t get an answer from First American Financial. Shoval said, and Krebs confirmed, that the site was leaking “tens if not hundreds of millions of records.” They contend that anyone who knew the URL for a valid document at the website could view other documents just by modifying a single digit in the link, with no additional authentication needed.
The title insurance firm, among the biggest in the US, did issue a statement on the data exposure after Krebs on Security contacted it. However, it did not provide any figures on just how much data may have been exposed or for how long, saying only that the company took immediate action to address the situation and shut down external access to the application. “We are currently evaluating what effect, if any, this had on the security of customer information,” First American Financial’s statement said. “We will have no further comment until our internal review is completed.”
It’s not clear whether the documents were actually accessed by fraudsters or used in any scams. But it does seem that scammers armed with a single link to a company document would have had access to a treasure trove of sensitive data that could be used in “business email compromise” scams, which the FBI says are the most costly form of cybercrime today. These scams often involve impersonating real estate agents, closing agencies, or title and escrow firms to trick property buyers into wiring funds to fraudsters.
Title insurance agencies like First American Financial are a kind of middle man that works for buyers, sellers, lenders, insurers, and other parties in any given transaction, but they generally receive a commission from an insurance company that hires them. The title company reviews the property records to ensure that there is nothing—a lien on the land or a forgotten foreclosure, say—encumbering a sale. It also facilitates closings and files and records paperwork.
All parties rely on the title insurer’s data security. But buyers in particular submit a great deal of personal information in this process, from social security numbers and drivers’ licenses to financial data and bank records, all of which are valuable to fraudsters and were apparently visible on the FAF site.
Buyers who need a mortgage are required to purchase title insurance, as it protects their lenders from doling out for a property that’s ineligible for sale. Owners, on the other hand, are not required to use a title insurance agency but will have to deal with one if they are selling to a buyer who requires a bank loan.
By the afternoon of May 24, First American Financial had patched up its leak. But it seems that millions of documents were vulnerable at least as far back as 2017. Presumably we’ll know more about what really happened and how long the exposure went on when the company completes its internal review.
The company, which earned more than $5.7 billion in 2018, states on its website that it “facilitates and streamlines real estate transactions,” providing services which “protect” real estate investments. Right now, however, it seems that First American Financial actually endangered millions.