Data server room
Dean Mouhtaropoulos/Getty Images

The nation’s largest title insurance company exposed personal information and data from hundreds of millions of mortgage documents going back to 2003, a security news website reported Friday.

First American Financial Corp. “kept the digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images” on an open server “available without authentication to anyone with a Web browser,” KrebsOnSecurity reported. The website said the documents were not secured until the title insurance company was notified this week about the breach.

Title companies like First American are entrusted with data related to virtually every aspect of a consumer’s life. In order to get approved for a mortgage, consumers turn over a host of information about their financial accounts, employment, bills and other outstanding loans. Title insurers keep this digitalized data related to the transactions.

It’s unclear whether any of the exposed data in this incident was actually accessed. In a statement, First American said it has taken steps to secure the data. “First American has learned of a design defect in an application that made possible unauthorized access to customer data.  At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”

The Krebs website reported that it learned of the breach when it was contacted “by a real estate developer in Washington state who said he’d had little luck getting a response from the company about what he found, which was that a portion of its Web site (firstam.com) was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.”

Size of the breach

The Krebs site reported that 885 million files, the earliest dating back more than 16 years, were exposed, much of which was records of  wire transactions with bank account numbers and other information from home or property buyers and sellers.

Title companies are overseers of the closing process, when the homeowner signs stacks of documents related to the sale. The homebuyer pays a premium to the title company as part of the closing costs and that includes a lender’s title policy and a homeowner’s title policy. The insurance protects property buyers and mortgage lenders against defects or problems with a title when there is a transfer of property ownership. If a title dispute arises during a sale, the title insurance company may be responsible for paying specified legal damages, depending on the policy.

What you can do

We don’t know yet which, if any, records were accessed. Meanwhile, periodically check your credit reports for signs of fraud — new accounts you didn’t open, hard inquiries you don’t recognize, payment history you can’t account for, an employer you never worked for and personal information unfamiliar to you. Pull each of your credit reports at least once over the course of the next year to check for fraudulent activity. You can get your reports free once a year at annualcreditreport.com.

Consider putting a credit freeze on your reports. A credit freeze prevents the credit reporting agencies from releasing your credit report to new creditors.

This story covers more on how to protect your information.