The First American Corporation data leak is a wake-up call for regulators to clamp down hard on organizations that fail to protect their customers.
Data breaches are one thing, but leaving customer data unprotected online is highly negligent and questions an organization's competence!
Any time criminals steal data from organizations like First American Corporation, it's the customers (including businesses) who suffer most!
What is First American Corporation?
Founded in Orange County, California, in 1889, First American Corporation is a financial services company in the real estate industry.
The Fortune 500 company is valued at over $7.5 billion (in 2021) and employs just under 20,000 people.
First American Corporation has several subsidiaries, including a subsidiary in India, employing more than 4,000 employees.
What Happened at the First American Corporation Data Leak in 2019?
The First American Corporation Data Leak is a shocking example of corporate negligence. Luckily, it appears First American Corporation's customers managed to avoid having their data end up in the hands of criminals.
In May 2019, Ben Shoval, a Washington state real estate developer, stumbled upon approximately 885 million files containing customer data dating back to 2003!
You had to have a specific URL to find the files on firstam.com. But, once you had one URL, all you had to do was increment or decrement the URL to access other records.
Many of First American Corporation's exposed records were wire transactions between property buyers and sellers with account numbers and other financial information.
Leaked, Not Stolen!
It's important to note that although the First American Corporation data was freely available, it doesn't appear that anyone stole any of the company's records.
Unlike a data breach where criminals hack into a network, human error usually causes a data leak.
In First American Corporation's case, a website configuration error called Insecure Direct Object Reference (IDOR) allowed customers to view private information without any authentication.
First, American Corporation's records are sequential, so Mr. Shoval could change the number in the URL to access other customer records.
It's unclear how long First American Corporation's data was available online, but a search on archive.org revealed the company's records were available to around March 2017!
What Kind of Data Was Leaked?
Most of the files appeared to be scans of original documents, including property buyer and seller forms, IDs, SSNs, driver's licenses, account statements, internal corporate information for small businesses, physical addresses, contact numbers, email addresses, and other sensitive information and documentation.
Essentially a treasure trove for criminals to carry out identity theft, spear-phishing attacks, and other social engineering attacks.
Early Warnings Ignored!
Penetration tests flagged First American Corporation's exposed records in 2018, but the problem remained unfixed due to a comedy of errors and administrative blunders.
What was the Fallout of the First American Corporation Data Leak?
You'll be sad to learn that the $7.5+ billion First American Corporation got a mere slap on the wrists for its negligence.
The New York State Department of Financial Services found First American Corporation had breached new cybersecurity protections implemented in 2017.
First American Corporation was the first company to receive enforcement action under the new cybersecurity law, reluctantly agreeing to a fine of $487,616 with The New York State Department of Financial Services.
Is Your Company Prepared for a Data Leak?
Data leaks like the First American Corporation in 2019 or CAM4 in 2020 put customers at severe risk of cyberattacks.
This sort of personal information gives criminals the means to impersonate companies and individuals or even target them through various social engineering attacks.
One of the most significant risks from a leak like this is that criminals have enough personal information to carry out a successful spear-phishing attack.
Using data from First American Corporation, criminals could pose as the organization sending spear-phishing emails replicating the bank's correspondence.
The email might include personal information that only the bank would know, increasing the likelihood of a victim clicking a link or opening an attachment—most likely containing malicious packages giving criminals access to the victim's device and network!
Once attackers breach a user's device, they steal data and passwords to access other accounts, devices, and networks.
Protecting your company's passwords is crucial to preventing a full breach of your systems and accounts!
Protecting Passwords with TeamPassword
TeamPassword is a password manager designed for small businesses to share credentials safely amongst team members.
You never have to share raw login credentials. Instead, all of your passwords are safely stored and shared with TeamPassword. Employees use one of TeamPassword's browser extensions to log in—exactly as you would with a password saved in a browser.
With two-factor authentication 2FA, even if attackers steal a team member's password through a phishing attack, they won't have access to your TeamPassword account.
Creating, Storing, & Saving Passwords
TeamPassword features a built-in password generator, so you never have to worry about weak passwords or reusing credentials. You can create passwords from 12-32 characters using uppercase, lowercase, numbers, and symbols.
Once a new password is created, TeamPassword automatically updates the new credentials for all users so team members can continue working without interruption.
Groups & Sharing
You can create groups for your various accounts and only provide access to those who need it.
If you work with freelancers or contractors, you can add them to a group for the duration of their employment and remove them when the job is done—no need to change credentials when a team member leaves!
Keep Track of TeamPassword Activity
TeamPassword's activity log provides you with dates and times of login history. You can also set up email notifications for every TeamPassword action, allowing you to stay on top of your most sensitive data and accounts.
Accredited Secure Hosting Provider
TeamPassword uses state-of-the-art encryption technology and holds several internationally recognized security accreditations.\
Our team regularly conducts vulnerability sweeps to ensure our systems are watertight against breaches and attacks.