Skip to content Skip to navigation

First American Financial Customer Data Exposure Class Action

Sign for First Financial on Brick Wall with Eagle Logo

Should companies delete the private information of customers after a certain period? The complaint for this class action says that First American Financial Corporation (FAFC) “expressly promises it will maintain appropriate facilities and systems to protect against unauthorized access to” its customers’ information. Still, it suffered a breach that exposed “approximately 885 million records” relating to sixteen years of mortgage transactions.

Two kinds of classes have been proposed. 

  • The first the Nationwide Data Breach Class, a single class comprised of all persons living in the US who bought title insurance and/or other products or services from FAFC and whose personal information was exposed via FAFC’s website.
  • The alternative is individual state classes, named as Statewide [Name of State] Statutory Classes. These include all residents of each included state whose personal information was kept on FAFC’s database and compromised as a result of the breach announced by FAFC on or around May 24, 2019. The states for these classes include Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, Nevada, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Texas, Utah, Vermont, Washington, West Virginia, and Wyoming.

The complaint alleges, “In one of the most reckless data breaches/exposures in modern history, the FAFC website allowed anyone with a computer to access approximately 885 million records without asking for any authentication. The only action required to exploit the vulnerability in FAFC’s website was tweaking a single digit in the address of a file. No password or other credentials were required…”

FAFC is one of the largest title insurance companies in the country, offering title insurance, closing/settlement services, property data, insurance, trust and wealth management services, and other related products and services. The records that it held included bank account numbers and statements, mortgage records, tax records, Social Security numbers, and drivers’ license images, among other things.

On May 24, 2019, FAFC revealed the data breach, saying that “a design defect in an application [] made possible unauthorized access to customer data.” In other words, as the complaint puts it, the information “was available for download without hacking into the FAFC databases and without having to provide any authentication.” 

According to the complaint, it was not FAFC’s security policies or actions that discovered the breach but a real estate developer. The complaint says that “FAFC was reportedly nonresponsive when [] it was first put on notice…” 

The complaint alleges that the company violated the Gramm-Leach-Bliley Act, arguing that it meets the definition of a financial institution under the Act; it also claims it did not follow industry standard protocols for safeguarding data.

Article Type: 

Free Case Evaluation

Fill out the information for a FREE and prompt case evaluation.

About you

Additional Information

Latest Tweets

Join Us on Facebook