I did a penetration test for $NATIONALINSURER and they had an FTP site with weak credentials where all the remote offices uploaded claims. Millions of records and scans of SSNs, home addresses, bank information, etc. Their mitigating controls were: we put it behind a firewall.<p>Then again I didn't expect much, their MSSQL in prod had SA/SA credentials active.
A lot of discussion on technical side, but not from organisational.<p>How could audit, both internal and external, not find this? 2003 to today is 16 years. Audit is a last line of defence and certainly not to be relied on upon as a buddy to catch your errors. But... how? This is a major financial institution in the most developed country in the world (the clue's in the name). It should subscribe to the the highest integrity and tightest scrutiny. This seems an opportunity for both internal and external auditors to tighten their game.<p>Outside of audit, surely an employee might have noticed? Was there no formal method to speak up without fear of recrimination? According to Wikipedia [1] there are eighteen thousand employees. Someone never noticed?<p>This seems an organsiational failing, not a technical one.<p>[1] <a href="https://en.wikipedia.org/wiki/First_American_Corporation" rel="nofollow">https://en.wikipedia.org/wiki/First_American_Corporation</a>
Whenever you are compelled to upload/send a photocopy of an ID document it is sensible to write the date and purpose / file reference on it. If it appears in a document dump at some later date you know the path and date of the leak.
Yet another security vulnerability caused by:<p>1. Using sequentially incremented integer sequences as object IDs, and<p>2. Failing to protect sensitive data using some kind of authentication and authorization check.<p>This is becoming a trend with data breaches. Several of Krebs' other reports on behalf of security researchers were originally identified by (trivially) walking across object IDs on public URLs.<p>My cynical take is that Krebs couldn't go public before this afternoon because First American wanted it to hit the news at an opportune time, then get ahead of it with their own messaging. Krebs got in touch with First American on Monday May 19th. The story is only just breaking now on a Friday afternoon at 5 pm; markets are conveniently closed for the weekend.<p>I expect them to issue a hollow PR statement about valuing security despite being unable to act on security reports until an investigative journalist threatens to go public.
By the sounds of it, another breach from a well-known, not new web application security vulnerability, "Insecure Direct Object Reference".<p>That vuln has been an explicit part of the OWASP Top 10 since 2007...<p>Unlike other common web app vulns (e.g. XSS SQLi) IDOR usually can't be fixed by a development framework (e.g. ASP.Net or Rails), it needs app. specific coding for proper Authentication/Authorization checks.
> He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.<p>Good thing he didn't post this bug online after getting no response. I remember reading about someone who did that on an AT&T website a while back and was sent to jail for simply incrementing an id number in the URL and talked about it on Twitter.
I just closed on my first house this week, and First American was of course my title company. I'll be interested to see if my data is included in this breach settlement or not.<p>I did notice when I was reviewing my docs that they emailed links to unauthenticated copies of docs, but they were mostly public records so I didn't think twice about it.<p>So they have my Name, address, email, SSN, copy of ID, copy of check from my bank with account/routing on it and much more, all in the open apparently.<p>I just went through an SSO implementation with a small team for a large user base. It was a bigger project than we had anticipated, but nonetheless manageable. I can't fathom that a financial institution of that scale could be that lax with basic security. Wouldn't their systems be subject to some regulation and require some kind of audit on a regular basis? Is this a failure of auditing systems, as well as internal security or even basic IT?
Programmers fault? Audits fault? Securities fault? Pentesters fault? It fault?<p>Listen until C-level funds these programs properly and security is taken seriously by all issues like this will forever be in the news.<p>I would be willing to bet their security like most have a long list of security gaps they cant get fixed because resource issues just hope they documented or it could fall on them.<p>Most coding classes just teach how to make things work in Mister Roger's world. Secure coding is an elective! Most run the DevOps model instead SecDevOps and only involve security after it is ready to go into production no matter what flaws security finds.<p>Why are black box pentests still taking place? Because company required to have pentest but really do not want testers to find things. Their goal is not to improve security rather check that box ... we had a pentest.<p>C-level, this keep the lights on budget you give Security/IT is costing you more than properly funding us! Oh yeah you put that $ into cyber insurance! Lol let's see how well that works.
I see a lot of comments on sequential as the issue. Really is that the issue?<p>Not the fact that John Doe can get to John Doe2 stuff without authenticating? WTF<p>Sequential or not if no auth I can run a scanner and get it all so what the hell does that have to do with the price of tea in China?
"First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information..."<p>Who is coming up with these statements?<p>If you kept royally screwing something for years that you claimed to be your "highest priority" - then what can one expect from your normal lines of business?
>At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information.<p>is such a meme.<p>Things will continue this way until there are serious repercussions for entities carelessly handling data.
At some point people will realise that holding large quantities of sensitive information is a liability, not an asset. Mindsets are slowly changing in this direction already.<p>The chickens will continue to come home to roost until people treat digital security as seriously as physical security.
It seems that the stock price (under the ticker FAF) hasn't suffered very much. This was revealed on 5/19, and the response has been tepid.There isn't likely going to be very much backlash on the stock, unfortunately.