- Joined
- Feb 2, 2016
- Messages
- 34,001
- Reaction score
- 1
Understanding The First American Financial Data Leak: How Did It Happen And What Does It Mean
Memorial Day weekend got off to a rough start for millions of Americans when security researcher Brian Krebs reportedthe discovery of more than 885 million sensitive documents exposed online by insurance giant First American Financial. Those files stored on the company’s website, firstam.com, contained bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts Social Security numbers and photos of driver’s licenses. All of that information, which dated back to 2003, was available without any sort of protection and could be accessed without so much as a password—as long as a person knew where to look.
When a data leak like this occurs, it can be hard to tell just how severe it is. Without question, it’s a troubling occurrence and does not inspire confidence in First American’s capabilities to protect customer data. What makes it challenging to fully understand how widespread the effect of this leak is the fact that this information simply sat exposed online. There wasn’t a clear breach of the company’s servers or evidence that a malicious third-party gained access to files without permission. This isn’t an Equifax situation, though it certainly has the capacity to be every bit as devastating if someone with bad intentions discovered this data first.
What happened in the case of First American Financial is a relatively common website design error called Insecure Direct Object Reference (IDOR), according to Dave Farrow, Senior Director of Information Security at Barracuda Networks. Essentially, a link to a webpage with sensitive information is created and intended to only be seen by a specific party, but there is no method to actually verify the identity of who is viewing the link. As a result, anyone who discovers a link to one document can view it—and can discover any of the other documents hosted on the site by simply modifying the link.
Even if this information existed online, undetected by anyone, at least some of it was still captured by search engines. According to First American, cached versions of at least 6,000 exposed documents were still readable online. The company is making efforts to remove them, but those documents simply exist online with sensitive information readily available to anyone who finds them.
https://www.google.com/amp/s/www.fo...-how-did-it-happen-and-what-does-it-mean/amp/
___________________________________
Isn't this doxxing someone?
I'm pretty sure it is illegal to make someone's sensitive data available online, and yet for some reason our ten penny corporate Kings seem to be above the law these days, and I would be absolutely floored if anyone actually went to jail over this obvious violation of the law.
What say you WR?
Are the executives at First American Financial guilty of a crime, and if so do you think they will actually be held to account?
Discuss........
Memorial Day weekend got off to a rough start for millions of Americans when security researcher Brian Krebs reportedthe discovery of more than 885 million sensitive documents exposed online by insurance giant First American Financial. Those files stored on the company’s website, firstam.com, contained bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts Social Security numbers and photos of driver’s licenses. All of that information, which dated back to 2003, was available without any sort of protection and could be accessed without so much as a password—as long as a person knew where to look.
When a data leak like this occurs, it can be hard to tell just how severe it is. Without question, it’s a troubling occurrence and does not inspire confidence in First American’s capabilities to protect customer data. What makes it challenging to fully understand how widespread the effect of this leak is the fact that this information simply sat exposed online. There wasn’t a clear breach of the company’s servers or evidence that a malicious third-party gained access to files without permission. This isn’t an Equifax situation, though it certainly has the capacity to be every bit as devastating if someone with bad intentions discovered this data first.
What happened in the case of First American Financial is a relatively common website design error called Insecure Direct Object Reference (IDOR), according to Dave Farrow, Senior Director of Information Security at Barracuda Networks. Essentially, a link to a webpage with sensitive information is created and intended to only be seen by a specific party, but there is no method to actually verify the identity of who is viewing the link. As a result, anyone who discovers a link to one document can view it—and can discover any of the other documents hosted on the site by simply modifying the link.
Even if this information existed online, undetected by anyone, at least some of it was still captured by search engines. According to First American, cached versions of at least 6,000 exposed documents were still readable online. The company is making efforts to remove them, but those documents simply exist online with sensitive information readily available to anyone who finds them.
https://www.google.com/amp/s/www.fo...-how-did-it-happen-and-what-does-it-mean/amp/
___________________________________
Isn't this doxxing someone?
I'm pretty sure it is illegal to make someone's sensitive data available online, and yet for some reason our ten penny corporate Kings seem to be above the law these days, and I would be absolutely floored if anyone actually went to jail over this obvious violation of the law.
What say you WR?
Are the executives at First American Financial guilty of a crime, and if so do you think they will actually be held to account?
Discuss........
