Client Alert

Millions of Customer Financial Records Exposed on First American Website

28 May 2019

On Friday May 24, 2019, independent security journalist Brian Krebs revealed that real estate and title insurance giant First American had 885 million sensitive customer financial records, going back to 2003, exposed on its website for anyone to access.

Krebs reported that the exposed records included Social Security numbers, driver's license images, bank account numbers and statements, mortgage and tax documents, and wire transaction receipts. The digitized records were available without authentication to anyone with a Web browser.

“First American has learned of a design defect in an application that made possible unauthorized access to customer data," First American said in a statement. "The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

In its statement, the company also stated that an outside forensic firm has been retained to aid in assessing the extent to which any customer information may have been compromised, and that “at this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred.”

The company plans to provide updates on its investigation exclusively on its website.

Gibbs Law Group LLP has filed the first nationwide class action lawsuit accusing First American Title Company of failing to properly secure 885 million sensitive customer files, instead choosing to store them in a “woefully insecure,” publicly accessible system. Specifically, the lawsuit alleges that First American Title Company was negligent and violated its contracts with customers in the way it stored their personal information, leaving them vulnerable to identity theft and other cybercrimes.

As if a wake-up call were needed on the topic of data security, let us hope that this development will encourage all title companies to review their data security practices robustly. Corporate customers of First American (and other title insurance companies) should also consider reviewing their arrangements with the companies to assure that sensitive customer information is properly secured.



Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.