• ✨Always Use Forum Private Messages PM For Deal With Vendors✨

    Admin Contacts Jabber: megiddo@jabber.sk Telegram: @Megiddo1

American Insurance Company Leaked 850 Million User Data

✨ Megiddo

✨ President ✨
Staff member
Joined
May 15, 2016
Messages
4,020
Likes
2,572
Points
1,730
User records have been publicly available on the web for four years due to a software vulnerability.

23653e4d3588e744dd9551b4c2a29db1.jpg


California-based First American Title Insurance, which inadvertently left tens of millions of user records available online, became the first company to be indicted by the New York Department of Financial Services (DFS) for violating cybersecurity rules.

According to the financial regulator, First American Title Insurance is negligent in protecting its data, as a result of which it violated state laws on the protection of non-public information. In April 2018, the insurer's systems contained about 753 million documents, 65 million of which were marked as confidential. In May 2019, the number of records increased to 850 million. All information has been in the public domain on the Web for four years due to security vulnerabilities.

From at least October 2014 to May 2019, a vulnerability on the First American public website could cause virtually anyone to access personal information, including bank account and statement numbers, mortgage and tax records, social security numbers, receipts about payment transactions and images of the driver's license.

The documents were contained in the FAST database of First American Title Insurance. According to the prosecution, the data breach occurred in 2014 due to a vulnerability in EaglePro's software for exchanging documents with FAST via email with clients. The vulnerability could have been exploited to view any image on the system - documents submitted via EaglePro were displayed from a URL with the ImageDocumentID parameter, which can be changed to any other value and access other users' documents without authorization verification.

The company has been aware of this software vulnerability for six months, but has done nothing to address the issue.
__________________
 
Top Bottom