First American Data Breach
In May of 2019, insurance giant First American Financial first revealed a massive and significant data exposure. Today, the insurance giant finds itself involved in a class action lawsuit as a direct result of that data exposure. The lawsuit, brought first on behalf of David Gritz by Gibbs Law Group LLP, will likely expand in scope as more First American clients find cause to sign on—and by some estimates, there could be millions of First American customers (current and former) impacted by the recently revealed First American data breach.
Because the class action lawsuit is just beginning, it’s difficult to predict the ultimate scope it may encompass. First American Financial is one of the most widely used companies in the United States for closing real estate deals and for real estate title insurance, so it’s possible that the majority of those who sign on to the class action lawsuit will be involved in real estate. However, there’s no evidence to suggest that only real estate documents were vulnerable to this data exposure.
What Is This Data Exposure and How Did it Occur?
The data exposure in question involves any documents that were emailed to or from First American Financial. By some estimates, over 800 million documents were exposed. Whenever any documents were emailed, the First American Financial website created a special URL address for those documents. By random chance, one developer noticed that he could easily access other individuals’ documents by simply changing a few select characters in the URL.
In other words, none of the data was encrypted. And anyone who managed to guess a valid URL could then see the corresponding forms or data. It’s worth pointing out that this isn’t what is technically termed a data breach. That’s because there was no security to break or hack. This data was simply exposed for anyone with the know-how to access.
What Private Data Was Involved?
Because First American Financial worked as a kind of mediator in real estate transactions, they collected documents from home buyers and home sellers, and many of those documents included sensitive and personal information. Some of the information included:
- Social Security Numbers
- Drivers license numbers (and copies of the drivers licenses themselves)
- Bank account numbers
- Copies of bank account statements
- A variety of personal and private information
- Corporate documents
Documents exposed in this way go all the way back to 2003. It’s easy to see how much of this information could be used for nefarious purposes, such as identity theft. It’s not known to what degree bad actors knew about this exposed information, but all of this data would be of significant value to phishers, hackers, or other scammers.
Once First American Financial was made aware of the data exposure, they took measures to address the problem.
Justification for the Lawsuit
Lax cybersecurity on its own is certainly a public relations nightmare, but might not always be a justification for a class action lawsuit. In this case, however, the plaintiffs are making the case that First American Financial created a false expectation of privacy and security.
In large part that’s because First American Financial’s own terms of service repeatedly mention the company’s dedication to the security of user data. The primary thesis of this current class action lawsuit is that First American Financial was overstating its commitment to security—and that millions of customers were left vulnerable as a result.
The lawsuit was filed in the United States District Court for the Central District of California, which makes sense, as California has a thriving (and powerful) real estate presence. The course this class action lawsuit now takes will likely depend most significantly on how many other plaintiffs sign on.
How Can You Protect Your Data?
These types of lawsuits are an important tool for getting companies to take data security seriously. These data were exposed since 2003. That’s well over 15 years of open access to highly personal data and documents.
If businesses like First American Financial are forced to pay a financial cost for lax cybersecurity, they may begin to finally take seriously the welfare of user data. But if companies feel little to no heat, cybersecurity may not seem worth the investment.
First American Financial has certainly taken a hit to its reputation. Whether this class action lawsuit creates a dent in the company’s pocketbook as well remains to be seen.
Editor’s Note on the First American Class Action Lawsuit:
This piece is written about the recently filed First American Lawsuit. For more information, please shoot us an email to Outreach@ConsiderTheConsumer.com, find us on Twitter, Facebook, Instagram, LinkedIn, or even connect with us directly on our website! We look forward to hearing from all of you.
Interested in articles like these? Become a subscriber below!