top of page

Understanding The First American Financial Data Leak: How Did It Happen And What Does It Mean?

Memorial Day weekend got off to a rough start for millions of Americans when security researcher Brian Krebs reported the discovery of more than 885 million sensitive documents exposed online by insurance giant First American Financial. Those files stored on the company's website,, contained bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts Social Security numbers and photos of driver's licenses. All of that information, which dated back to 2003, was available without any sort of protection and could be accessed without so much as a password—as long as a person knew where to look.

When a data leak like this occurs, it can be hard to tell just how severe it is. Without question, it's a troubling occurrence and does not inspire confidence in First American's capabilities to protect customer data.  What makes it challenging to fully understand how widespread the effect of this leak is the fact that this information simply sat exposed online. There wasn't a clear breach of the company's servers or evidence that a malicious third-party gained access to files without permission. This isn't an Equifax situation, though it certainly has the capacity to be every bit as devastating if someone with bad intentions discovered this data first.

What happened in the case of First American Financial is a relatively common website design error called Insecure Direct Object Reference (IDOR), according to Dave Farrow, Senior Director of Information Security at Barracuda Networks. Essentially, a link to a webpage with sensitive information is created and intended to only be seen by a specific party, but there is no method to actually verify the identity of who is viewing the link. As a result, anyone who discovers a link to one document can view it—and can discover any of the other documents hosted on the site by simply modifying the link.

"No end user compromise is necessary," Farrow said. "The hacker has simply identified an authorization error in the website and walked through the front door."

Even after discovering the IDOR issue, accessing documents manually is a time-intensive task that requires a bit of guesswork and pattern identification—though, given the information that is exposed here, it may well be worth the time for an attacker to put in that labor. However, things get significantly easy for an attacker (and significantly worse for potential victims) if the information is somehow mass harvested.

It's possible that information from First American could have been collected and indexed by bots. Done carelessly, such an effort might tip off the defenses of First American and result in the company deflecting the malicious attempts to access documents. But carried out through a "low and slow" attack, which uses fewer requests to avoid detection, it's possible that someone could have scooped up a considerable chunk of the sensitive documents hosted on the site.

According to data provided by Distil Networks, advanced persistent bots (APBs) are often used to carry out these types of attacks. They also made up 73.6 percent of all "bad bot" traffic in 2018. According to the company, these bots often avoid typical triggers that malicious attacks would hit, like failed login attempts and excessive traffic from a single IP address. While Krebs said in his report that there is no clear indication such an attack did happen, he noted that even a "novice attacker" could carry out such a scheme and could go undetected.

Even if this information existed online, undetected by anyone, at least some of it was still captured by search engines. According to First American, cached versions of at least 6,000 exposed documents were still readable online. The company is making efforts to remove them, but those documents simply exist online with sensitive information readily available to anyone who finds them.

With a considerable amount of valuable information both still online and potentially collected by a bad actor, there now looms the threat that someone may use that information in a malicious way. That will most likely manifest in a Business Email Compromise (BEC), according to Barracuda Networks' Farrow. These types of attacks are typically phishing and social engineering schemes used to gain access to a company's network or other sensitive information.

With a trove of customer data out there, it wouldn't be difficult for an attacker to impersonate a First American client and either attempt to change details or an agreement, ask for additional information that could lead to financial gain, or even redirect a wire transfer to their own account. Barracuda Networks estimates these types of attacks represent over $12 billion in losses to businesses.

Farrow explained:

We are seeing an increasing trend in BEC attacks where hackers take over legitimate accounts, learn about organizational details and any deals in process. They then launch a well-timed BEC attack from compromised accounts asking for wire transfers or introducing last minute changes to account details to defraud organizations. Because these attacks originate from legitimate accounts and often target internal employees many email security solutions will struggle to detect and block the attack.

The trouble with a data exposure like the one at First American is that it's hard to pinpoint exactly how many people are actually affected. If everyone got lucky, this huge cache of sensitive files sat online, undetected and most everyone is in the clear. But the worst case scenario is that every last one of those files was captured, saved, and could be used in the future to target individuals and companies.

First American has yet to provide any assistance to help its customers protect themselves. If you've done business with First American at any point since 2003, it may be best to freeze your credit at major credit bureaus for the time being. Doing so will prevent any unauthorized parties from taking out loans or starting a line of credit in your name without your permission.

bottom of page