The sensitive data of California-based title insurance company First American Financial Corporation was found publicly accessible, leaving records such as bank account details, Social Security numbers, wire transactions, and mortgage paperwork exposed for anyone to exploit.
According to cybersecurity news site Krebs on Security, over 885 million records were reportedly exposed. Last week, a real estate developer discovered that the files could be accessed on First American’s website without authentication. The developer then reported the exposure to Krebs on Security, who passed on the news to First American.
The data has since been taken offline.
A company spokesperson told Gizmodo in a statement that the unauthorized access was due to a “design defect” in one of its production applications. First American blocked external access to the documents and has begun evaluating what effects the exposure has on the security of its customers’ data; the company is collaborating with an outside forensics team on the matter.
“Security, privacy and confidentiality are of the highest priority, and we are committed to protecting our customers’ information,” the company added in its statement.
Millions of documents – some dating as far back as 2003 – were left vulnerable for anyone to take a look at, Krebs on Security reported. In addition to Social Security numbers, driver’s license details, and account statements, even internal corporate documents were also unintentionally leaked by First American’s website.