Brian Krebs broke the news late Friday that Fortune 500 real estate insurance giant First American exposed approximately 885 million sensitive records because of a bug in its website. The news has been picked up by various business media.
Krebs reported that the company’s website was storing and leaking bank account numbers, statements, mortgage and tax records, and Social Security numbers and driving license images in an enumerable format — so anyone who knew a valid web address for a document simply had to change the address by one digit to view other documents, he said.
There was no authentication required — such as a password or other checks — to prevent access to other documents.
Experts Comments:
Byron Rashed, VP of Marketing at Centripetal:
“This kind of disclosure isn’t common; usually the back doors are from vulnerabilities that have not yet been discovered or patched. In this case, there was no authentication – if you stole credentials from somewhere else, you could access all kinds of account information. It’s very surprising for a Fortune 500 company to have this kind of security posture. What they should have done is what most companies do -authenticate with a password or 2 factor authentication. This so beyond a textbook example of a breach.”
Colin Bastable, CEO at Lucy Security (Austin, TX):
“This is careless and incompetent complacency, and it goes back to 2003. You might have thought that there would have been a security audit in the last 16 years, or that someone would have noticed that data attracts data thieves: “Hey, is all this data really secure?” Years ago, a teenager from England managed to roam around Defense Department servers, because they had no password protection. The problem is longstanding. Out of convenience or forgetfulness, and by people making assumptions, so much data is left unguarded.
The distributed and fragmented nature of the US property market, with its many moving parts and multiple actors having a hand in each property transaction (for a slice of the action), means that ease of access to data is given greater priority than security of the data. To cut costs, large corporations outsource many functions to third parties who all need access to the data, not unlike the US healthcare industry. Government adds to the problem by requiring multiple audit trails and adding layers of compliance. So we should not be surprised that data security is chronically impaired in the US property market. The technologies and policies and procedures have long existed to secure this type of data, but somehow it is often too inconvenient to apply them.”
Don Duncan, Security Engineer at NuData Security:
“The data leaked is extremely sensitive, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers’ license images that, without much effort, can be used for account takeover and identity theft. With the number of breaches across different industries, it’s important that users remain vigilant due to the data that has accumulated about them over time. We encourage them to check their credit record regularly, as well as their card and account statements. For companies, the constant exposure of personally identifiable information means that relying on this information for authentication – such as date of birth, driver’s license or last transaction information – is no longer valid. Today, more companies are including passive biometrics technologies in their apps and websites to verify the user behind the credentials or information provided.”
Tyler Owen, Director, Solution Engineering at CipherCloud (San Jose, CA):
“Unfortunately these types of data leakages are quite common. In the past two weeks we have seen multiple databases of millions of records exposed with no authentication or controls. Often times there are easy fixes for many of these breaches with the appropriate planning and right tools.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.