First American Financial document exposure

On 24 May 2019, the U.S. title-insurance and real-estate-settlement giant First American Financial Corporation was found to have exposed roughly 885 million documents — among the largest data exposures in history by record count — through a trivially exploitable web-application flaw. The exposed files contained some of the most sensitive personal data imaginable: Social Security numbers, bank-account numbers, mortgage and tax records, wire-transfer receipts, and images of driver's licenses.

What happened

The root cause was an insecure direct object reference (IDOR) — a form of broken access control. First American's document-sharing application generated URLs containing a sequential, numeric document identifier, for example …/DocumentDisplay.aspx?...&dm=...&numbers.... Anyone with a single valid link could simply increment or decrement the number in the URL to retrieve a different customer's document — with no login, authentication, or authorization check of any kind.

Because the identifiers were sequential, the entire archive of roughly 885 million documents, the earliest dated to 2003, could be enumerated automatically by a script. Later analysis indicated the records had likely been publicly reachable since at least March 2017.

The flaw was disclosed to First American on 24 May 2019 by cybersecurity journalist Brian Krebs, who had been tipped off by a real-estate developer unable to get the company's attention. First American took the affected application offline the same afternoon. It was never publicly confirmed whether malicious actors had bulk-harvested the archive before remediation.

What was exposed

The documents related to real-estate transactions and contained:

• Social Security numbers
• Bank account numbers and bank statements
• Mortgage and tax records
• Wire-transfer receipts and instructions
• Driver's-license images

Impact

• Approximately 885 million documents spanning 16 years were exposed without authentication.
• In July 2020, the New York Department of Financial Services brought charges under its Cybersecurity Regulation — the first enforcement action under that rule — and First American later agreed to a $1 million settlement with NYDFS.
• In June 2021, the U.S. Securities and Exchange Commission settled charges that First American had inadequate disclosure controls: senior executives signing the company's public statements were unaware that the firm's own security team had flagged the same vulnerability months earlier. First American paid a $487,616 penalty.

Why it matters

First American is the textbook case for broken access control — now ranked the #1 risk in the OWASP Top 10. No malware, no zero-day, no phishing: just a predictable numeric identifier and a missing authorization check. The incident also became a landmark in regulatory accountability for cybersecurity disclosure. The SEC's action established that publicly traded companies must ensure that the executives certifying disclosures are actually informed of known material vulnerabilities — making internal security-to-leadership communication a matter of securities-law compliance, not just IT hygiene.