Brian Krebs left more than 855 million records posted on his Web site, a company that works primarily in real estate insurance. It dates back to 2003. The first big mistake of American Financial Corp was rethinking security. If your website has URLs for documents, you can add or subtract one number to the URL to access other documents.
Given the type of business this company belongs to, the record contains tremendous personal information. Krebs talked to Ben Shoval. He caught his attention and said he would include social business security numbers, driver's licenses, account statements, and even internal business documents.
Today, the company has pierced web site security. Right now I do not know whether anyone actually exploited this vulnerability. Unlike public disclosure of this kind of data exposure, First American Financial does not even say that there is no evidence that it has accessed the records. The statement on Krebs states the following (highlighted below).
First American found design flaws in applications that could gain unauthorized access to customer data. America's first security, privacy and confidentiality is our top priority and we are committed to protecting customer information. The company took immediate action to resolve the situation and block external access to the application. We are currently evaluating how this affects the security of customer information. This afternoon, First American further stated that he hired a third-party forensic company in The Verge, . Make sure anyone has access to the record.
May 24 First American became aware of design flaws in authoring applications that had unauthorized access to customer data. Security, privacy and confidentiality are our top priorities and we are committed to protecting customer information.
The company therefore took immediate action to address the situation and block external access to applications. We are currently evaluating how this affects the security of customer information. We hired an external forensic company to verify that we do not have unauthorized access to customer data.
Many personal data is actually accessible behind URLs that are not password-protected, but are still relatively secure. This is because the URL is complex and can not be guessed. For example, Google Photos shares images this way. However, even if First American Financial admits that it is good to make documents available without a password, it is very short-sighted so that you can easily guess the URL.
Krebs has the following characteristics of this data exposure : "It's great, it's probably superlative." And the number of records they have and the number of sensitive information clearly support that claim.
I contacted First American Financial for additional comments, but now I can not figure out what people can do to check for data leakage. Krebs on Security
Update, 7:05 PM PM: Publicly hired an external forensic company to add and investigate First American's statements