This class action is one of several addressing the leak of customer information held by First American Financial Corporation and First American Title Insurance. This was not a case of the company suffering a hacking; in fact, it was a flaw in the way the information was stored and accessed.
The class for this action is all persons who paid First American for services in the US and whose PII was exposed, accessed, compromised, or obtained from First American without consent.
First American is a very large entity, a Fortune 500 company that takes in billions of dollars each year. And the information it stores is detailed and personal, since it involves the purchase of and title to real estate. The company stores customers’ personally identifying information (PII) including Social Security numbers, bank account numbers and statement, mortgage and tax information, images of driver’s licenses, and so on.
Despite its promises, on May 24, 2019, security expert Brian Krebs announced that First American’s website had been leaking information from 885 million records—and had been doing so for as long as sixteen years.
How was this possible? The complaint quotes Krebs as saying that “anyone who knew the URL for a valid document at First American’s website could view [the PII of any customer] just by modifying a single digit in the link.” That is, if you could access one document, you could access them all.
First American said the problem was due to “a design defect in one of its production applications.” It said it had “hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data.”
However, the complaint says that as of the filing of this complaint in June, “First American has not notified any of its millions of customers whether their PII has been exposed to persons or entities with no right to possess their PII…”
The complaint alleges breaches of contracts, breach of the implied covenant of good faith and fair dealing, and negligence, among other things. It asks the court to require that the company remedy its inadequate data security measures and award damages to the customers whose information was exposed.