More than 885 million data was left unsecured – not even with simple encryption mechanisms like passwords – from insurance giant First American, and only time can tell if someone who has terrible intentions had gained access to the wealth of consumer data that can easily be harvested from the domain.
The data included in the breach isn’t merely someone’s email or full name; a hacker can have access to a pool of millions of sensitive information if he knows where exactly to look for it. Information like bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts Social Security numbers and photos of driver’s licenses, all of which dated back to 2003, were potentially vulnerable to cybercriminals.
What’s particularly interesting about the case of First American data breach is that there is no indication that there were people who infiltrated their system illegally. What happened is a relatively common website design error called Insecure Direct Object Reference (IDOR), according to Dave Farrow, Senior Director of Information Security at Barracuda Networks.
A link was created to direct to the database in the site’s domain that contains the sensitive information but was only intended to specific users only like staff or partners, for example. However, there is no method to verify the identity of those who visit the link. When you have the link, you have access to millions of sensitive consumer data. Worse, anyone who discovers the link can easily modify it to view other documents.
No hacker, no data breach?
Not necessarily. While hacking is one cause of data breaches around the world, the negligence of the company who owns the database is one of the most common reasons. A recent study suggests that companies consider “employee mistakes” as the most potent cause of a data leak. Validly so, a data leak without a hacker is still a data leak – consumer data is still exposed for anyone’s consumption and can be as devastating as when an intruder took it forcefully.
“No end user compromise is necessary,” Farrow said. “The hacker has simply identified an authorization error in the website and walked through the front door.”
While bypassing some of the IDOR security mechanism requires hard work, the amount and type of data that can be collected from First American is enough incentive for anyone to put all their guns down and do the labor. Besides, the job becomes increasingly comfortable as the data is already mass harvested. Analysts even argued that the data could also be indexed by bots; making manual human labor to access and collect the data more accessible.
Furthermore, even if no one has tried to scoop out data from the site purposefully, a massive chunk of it has also been captured by search engines. A simple search, with the right keyword, can lead anyone to a mammon of sensitive consumer data, even if they did not intend to. According to First American, cached versions of at least 6,000 exposed documents were still readable online.
Class action suit filed against First American
Given the sensitivity of the data left exposed from the company’s website, time only separates the company from a brewing class action – and the time has come. A class action suit has been filed against the insurance giant for its apparent negligence that leads to the exposure of more than 885 million data online. Gibbs Law Group LLP announced today that it is bringing the first nationwide class action lawsuit against the multibillion-dollar corporation.
In a court filing made in California, the class action said that “despite explicitly promising customers robust data security as part of the high cost of title services, First American allowed anyone to access the sensitive files of millions of customers. Nor is this just a theoretical concern –many, if not all, of the documents, were repeatedly accessed before First American was told about the breach.”
“First American made it incredibly easy for the public to access this private information by failing to implement even rudimentary security measures. Suppose that you are a First American customer. The company provides you with a URL to access your documents on its website. That URL might end in “DocumentID= 000000075,” the filing says.
The class action is requesting the court to award American First clients and the affected parties with damages, disgorgement, and any other form of monetary relief provided by law (but not damages under the CLRA). /apr