The American Securities and Exchange Commission is said to be investigating a US insurance company that allegedly left 885 million personal records accessible "without authentication to anyone with a web browser".
As revealed by infosec journalist Brian Krebs in May this year, First American Financial Corporation was said to have leaked sequentially numbered documents including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and images of driving licences. The firm disabled serving of the files after being told of the leak.
Regarding the SEC's investigation, Krebs cited a letter sent to Ben Shoval, the property developer who originally noticed the leak earlier this year, from the commission's enforcement division. The letter asked Shoval to "immediately preserve, and voluntarily provide us with" any documents he had from the time of the data leak.
As we reported in May this year, the unsecured records were said to have dated back to 2003, which goes some way to explain the sheer scale of the allegations.
A class-action lawsuit (PDF) has also been under way since late May, with the lead claimant similarly alleging that First American was using sequential document numbers to display information to customers – potentially allowing anyone to change a digit or two of a URL of one insurance-related document to gain access to another belonging to a stranger.
The complaint claimed:
It took no computer sleuthing to uncover numbers that will pull personal data; First American's document identification numbers were sequential. Follow that sequence 885 million times — 1, 2, 3, 4, and so forth — and you could access all 885 million.
In mid-July, First American issued a statement claiming that it had identified just 32 customers whose "non-public personal information" was "likely accessed without authorisation", and offered them free credit-monitoring services. This was a near-doubling of its previous estimate that only 14 customers' information was accessed. We have asked the firm whether it will comment on the latest developments.
It is understood that the SEC investigation centres around a potential breach of securities (stock exchange and share trading) law.
Until relatively recently, the US's breach reporting laws lagged behind enforcement regimes such as the EU's, though some states such as California have stronger mandatory disclosure laws than most, as HSBC's US arm found out the hard way in November.
Nonetheless, attacks by cybercriminals against banks are commonplace for the obvious reason. In February this year, the Bank of Valletta, Malta, pulled the plug on its entire internet access to thwart an attempted €13m cyberheist.
Closer to home, Tesco Bank was fined £16m by the Financial Conduct Authority in October 2018 after a 2016 hack saw £2.26m pinched from more than 9,000 hapless customers. ®
The class action suit is: David Gritz et al v. First American Financial Corporation