Web applications security specialists reported the discovery of millions of records on the servers of a major financial services company. Exposed information includes account details and banking transactions, Social Security numbers and mortgage information, among other data.
According to the reports of the specialists who
discovered this data treasure, more than 850 million records were exposed; the
compromised server has already been taken offline by the company.
In their report, web applications security
specialists describe how they discovered the online files and informed the
authorities and some prominent members of the cybersecurity
community. Specialists claim that the company operating the compromised server
was notified before public disclosure was made.
After the incident was known, it was revealed
that the company involved is the financial organization First American; headquartered
in California, it is one of the leading providers of title settlement services,
with about 18k employees and assets equivalent to almost 9 billion USD.
Subsequently, a spokesperson stated that the
company was informed about the unauthorized access last Friday: “The
incident occurred because of a flaw in the design of one of our production
applications. We block external access to our documents immediately”. The
company is working with external web applications security specialists to
conduct a thorough investigation.
“Ensuring the privacy
and confidentiality of our clients is a priority task for us, we will continue
to work so that this kind of incidents does not happen again”, the
spokesman concluded.
The documents appear to date from the year 2003
and include details related to all company operations, customers and corporate
partners. According to specialists from the International Institute of Cyber
Security (IICS), the files were available for any user without the need for authentication.
The investigators specified that it was only
possible to access the exposed documents through the First American website; in
addition, they point out that it is still not possible to affirm or deny that
some malicious actor has accessed the compromised files, although this
possibility should not be ruled out.
