Have you purchased or sold any real estate within the past 16 years?
If so, what if I told you that up until last month, the digital records of everything involved in closing — including your bank account and Social Security numbers — remained accessible by anyone with simple access to the internet?
That’s what happened when security news site KrebsOnSecurity.com, run by journalist Brian Krebs, confirmed a real estate developer’s tip that First American Financial Corporation — a leading provider of title insurance and settlement services — exposed approximately 885 million digital real estate files dating back to 2003 on an unsecured web-based server.
Without getting too technical, since the server wasn’t password protected or didn’t require authentication, taking any file’s “name” and changing a digit at a time provided the next sequenced file in First American Financial’s database. And another.
And then maybe yours.
“Even worse, in these kinds of breaches, there’s no way of knowing if anyone accessed them or not,” warns the Identity Theft Resource Center, which notes accidental data exposures are “becoming all-too-common.” In fact, in 2018, ITRC reported accidental exposure breaches ranked second in the total number of records exposed at 22 million.
In a statement, First American Financial acknowledged that a “design defect created the potential for unauthorized access to customer data.” The company has hired an outside forensics firm to assess the extent of compromised customer information. If you’ve used First American Financial, stay updated at https://www.firstam.com/incidentupdate.
While this was an accidental exposure and not an intentional hacking breach, the danger of thieves easily accessing non- encrypted, sensitive personal identifying information is just as real.
How real? To help consumers better understand the impact caused by a specific data breach, the ITRC just launched a tool called “Breach Clarity” at www.idtheftcenter .org/breachclarity.
Breach Clarity’s First American Financial report rates an individual’s likely risk level at a dangerous 9 out of 10. That’s because besides Social Security and financial account numbers, exposed records also likely included date of birth, driver’s license, and employment wage information. That leads to identity theft.
In addition, KrebsOnSecurity warns the information exposed by First American Financial “would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title, and escrow firms in a bid to trick property buyers into wiring funds to fraudsters.”
“While there is nothing you can do to prevent the exposure of your information through an unprotected database, there are proactive measures you can take to reduce your risk of identity theft,” explains Mona Terry, VP of Operations for the ITRC. “This includes freezing your credit, reviewing your credit reports several times a year and monitoring your credit card and financial statements, including bills, for any suspicious activity.”
What else? Avoid voluntarily sharing too much information. Always ask why any requested personal information is needed, how it will be used, and what happens if you don’t provide it. Think of ID theft as a puzzle. The more unique pieces, the greater the possibility thieves can piece together your identity.
And watch out for scammers trying to take advantage of the latest data breach by posing as the affected company in an attempt to get your personal information.
Finally, consider this unsettling thought: Even if you’re unaffected by this specific data exposure, remember half the U.S. population — some 148 million individuals — had their names, Social Security numbers and dates of birth hacked in the August 2017 Equifax data breach. You can’t change those.
That means crooks still have the basic ingredients to steal your identity. Whenever they want.
So, keep your guard up.
David Morris is the Sun’s consumer advocate. Contact him c/o the Sun, 23170 Harborview Road, Charlotte Harbor, FL 33980; email email@example.com; or leave a message at 941-206-1114.