A major US financial services company has reportedly leaked million of sensitive digitised records that date back more than 16 years, including bank account records, Social Security numbers, wire transactions and other mortgage paperwork.
More than 885 million files are said to have been left publicly accessible, according to Krebs on Security, which first reported the leak. The wealth of records was reportedly discovered by a real-estate developer, Ben Shoval, who then contacted security reporter Brian Krebs. Krebs said he notified the owner of the leaky website this week.
Krebs identified the owner as First American Corporation, a title insurance company worth more than $US5 billion ($7.2 billion). The company did not immediately respond to a request for comment.
Shoval told Krebs that the title agency had collected “all kinds of documents from both the buyer and seller, including Social Security numbers, drivers licenses, account statements, and even internal corporate documents if you’re a small business”. The records dated back to at least 2003, he said.
Krebs reported that the documents, which could be accessed online without any kind of authentication, included some dated very recently. The website from which the records could be accessed was shut down as of 4:00AM AEST on Saturday, he said.
A company spokesperson reportedly told Krebs the leak was caused by an unnamed application and that it is currently evaluating what effect, if any, the incident has had on its clients.
It’s unclear at this time whether anyone without authorisation (other than Shoval and Krebs) accessed or downloaded the documents.
“I should emphasise,” Krebs wrote, “that these documents were merely available from First American’s Web site; I do not have any information on whether this fact was known to fraudsters previously, nor do I have any information to suggest the documents were somehow mass-harvested (although a low-and-slow or distributed indexing of this data would not have been difficult for even a novice attacker).”