It’s no secret that ‘cyberwarfare’ is a board-level concern for businesses all over the world. 2020 has seen an unprecedented rise in cyber attacks with security leaders seeing 30% more attacks since March. But it’s not always the stereotyped hackers hiding in the dark that cause data breaches, sometimes, it’s simply down to avoidable human error.
One such unsuspecting victim that made the headline in May was First American Corporation - the largest title insurance company in the US. The company fell victim to a substantial data breach with a staggering 885 million sensitive financial records exposed online. Due to the nature of the information exposed, it presented a huge problem to First American and their unfortunate customers that could have longstanding implications.
What caused the data to be exposed?
The lapse was first reported by leading security researcher Brian Krebs who outlined that the exposed records going back to 2003 were stored on the company's website firstam.com.
The issue arose from an Insecure Direct Object Reference (IDOR) application flaw which is not uncommon. The vulnerability was initially detected by an internal penetration test in 2018 however First American’s investigations underestimated the seriousness of the vulnerability. The exposed files could be accessed without any sort of protection and could be accessed without a password.
By not taking the relevant steps to remediate the issue, the hole in their document management system was left unnoticed. Failing to secure exclusive URLs to the files allowed anyone that could insert the correct URL into their browser to access sensitive customer information.
This is another example demonstrating the importance of having a robust and rigorous penetration program in place highlighting that without adequate remediation processes in place vulnerabilities can remain present. In fact, a developer had spotted the flaw and contacted the company but was ignored, so contacted Brian Krebs.
The range of sensitive files exposed included bank account information, tax records, Social Security numbers, driver’s licenses, and more. This kind of data is highly lucrative to scammers which they could then potentially use to target individuals alongside distributing the data on the dark web. To date, there has been no evidence that anyone actually found and stole the information but there is conceivably still a threat.
The fallout and ramifications
The New York State Department of Financial Services (DFS) conducted an investigation and has filed charges in response to the reports which violated multiple provisions. However, First American has rejected accusations.
If the company is found guilty, every single exposure could cost the firm one thousand dollars per violation. To give you some perspective, approximately 900 million transaction records have been exposed which could result in huge financial penalties alongside reputational damage.
Following a pledge for better cyber security prosecution, the financial service company is the first to be made an example of for violating the New York Stop Hack and Improve Electronic Data (appropriately abbreviated to SHIELD!) Act. The Act amends the state data breach notification law and expands security requirements to protect the private information of any New York resident, and took effect on Mach 21, 2020. Inevitably, with a breach of this scale, the effects will be no doubt long-term.
The importance of penetration testing
This case highlights the importance of having a well-structured security strategy involving frequent penetration testing. Companies must perform high-standard security checks and processes to ensure that they are taking adequate measures to protect sensitive data in the event of a security lapse and cyber attack, otherwise the effects can be detrimental and long-lasting for everyone involved.