This is the second class, after one filed in the previous week, about the massive data exposure involving one of the most widely-used title insurance and real estate closing companies. The complaint alleges that First American Financial Corporation and First American Title Company allowed some 885 million documents to be available on its website with no password or authentication required. (First American Title is a subsidiary of First American Financial Corporation.)
The class for this action is all persons in the US who used First American’s title insurance or other closing services in a real estate transaction involving mortgage financing, and whose sensitive personal information was accessed, exposed, or compromised in the data exposure.
When Americans buy homes, they are required to assemble and present a large amount of documentation. Title companies often obtain financial information, drivers’ license numbers or images, Social Security numbers, and the like.
It would be upsetting to learn that First American’s records had been breached by hackers, but in this case, no hacking was necessary: A flaw in the system enabled anyone to access the company’s files.
The flaw was first discovered by real estate developer Ben Shoval. First American’s website allows customers, real estate professionals, and others to review documentation with the entry of a nine-digit record number. Shoval discovered that the numbers were sequential, and that the alteration of a single digit would display another party’s file, including sensitive personal information.
Shoval tried to inform the company of the problem, but received no response. He then reported the problem to Brian Krebs, who has a website on cybersecurity issues.
The complaint alleges that the company assured customers it would safeguard their data. It quotes company statements on the subject, including this one: “We will use our best efforts to ensure that no unauthorized parties have access to any of your information. We restrict access to nonpublic Personal Information about you to those individuals and entities who need to know that information to provide products or services to you.” Also, “We will maintain appropriate facilities and systems to protect against unauthorized access to and corruption of the data we maintain.”
One problem is that the company keeps records on file indefinitely. The complaint says that, rather than purging documents from older, finished transactions, it had documents dating as far back as 2003.
The complaint claims that the real estate industry is an increasing target for cybercriminals. Also, in its 2018 Annual Report discussion of risk factors, First American acknowledged its duty to protect customer data from attacks, saying, among other things, that “the integrity of these systems and the protection of the information that resides thereon are critically important to the Company’s successful operation.”
The complaint alleges negligence, negligence per se, and breach of implied contract, among other things.