Web applications security specialists reported the discovery of millions of records on the servers of a major financial services company. Exposed information includes account details and banking transactions, Social Security numbers and mortgage information, among other data.
According to the reports of the specialists who discovered this data treasure, more than 850 million records were exposed; the compromised server has already been taken offline by the company.
In their report, web applications security specialists describe how they discovered the online files and informed the authorities and some prominent members of the cybersecurity community. Specialists claim that the company operating the compromised server was notified before public disclosure was made.
After the incident was known, it was revealed that the company involved is the financial organization First American; headquartered in California, it is one of the leading providers of title settlement services, with about 18k employees and assets equivalent to almost 9 billion USD.
Subsequently, a spokesperson stated that the company was informed about the unauthorized access last Friday: “The incident occurred because of a flaw in the design of one of our production applications. We block external access to our documents immediately”. The company is working with external web applications security specialists to conduct a thorough investigation.
“Ensuring the privacy and confidentiality of our clients is a priority task for us, we will continue to work so that this kind of incidents does not happen again”, the spokesman concluded.
The documents appear to date from the year 2003 and include details related to all company operations, customers and corporate partners. According to specialists from the International Institute of Cyber Security (IICS), the files were available for any user without the need for authentication.
The investigators specified that it was only possible to access the exposed documents through the First American website; in addition, they point out that it is still not possible to affirm or deny that some malicious actor has accessed the compromised files, although this possibility should not be ruled out.