First American Financial Incident

First American Financial Corp., one of the largest U.S. title insurers, may have allowed unauthorized access to more than 885 million records related to mortgage deals going back to 2003. Digitized records including “bank-account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images were available without authentication to anyone with a web browser,” according to Brian Krebs, who broke the story on Friday, May 24.

Whether this access was exploited and how long it was accessable has not yet been reported, however, if it was available for a long period of time the likelihood of illicit access rises sharply. In addition, the materials available are tailored made for criminals looking to carry out financial fraud against companies and identity theft against consumers.

Commentary: First American’s history stretches back over 100 years and today has over five billion dollars in annual revenue and over 18,000 employees. You would think that a company of this size and history, and handling the volume of sensitive information that it does, would have robust security controls. And yet here we are. Yet another reminder that no company is immune to cyber attacks or critical cyber vulnerabilities, no matter how large with supposedly the budget and sophistication to deal with these threats, or how small without either.

Likely Threat(s): ?
Likely Motive(s): ?
Likely Means: 3.2 Exploit security design flaws
Opportunities: Penetration Testing, Secure Software Development

%d bloggers like this: