Find a Lawyer by Practice
Find a Lawyer by Location
Call 888-333-2350 or fill out the contact form on this page to see if your data was hacked. You may be eligible to join our class action lawsuit!
First American Title Company is the top title insurance firm in the United States, and is often involved in both the buyer and lender sides of real estate transactions across the country. If you have purchased or sold real estate anytime since 2003 where First American Title Company or First American Financial Corporation was involved in a title search, title insurance or mortgage escrow, your data may have been breached, opening you up to an increased risk of falling victim to a variety of identity theft crimes.
It is unknown whether this data was ever accessed by malicious actors. However, due to the ease with which anyone could access this data, and the obvious value of this data to scammers and criminals, millions of people may have been impacted. Brian Chase, founder of the law firm of Bisnar Chase, has filed a class action lawsuit against First National Title Company and First National Financial Corporation on behalf of people who are affected. Read the complaint here, and call the law office now for a free consultation at 888-333-2350 or fill out the form on this page to see if you are eligible to join our class action lawsuit to hold this company accountable.
On May 24, 2019, cybersecurity researcher Brian Krebs announced that First American, a major financial services company, published on its website more than 885 million sensitive mortgage documents. This data breach contained the confidential, private information of First American customers including, but not limited to:
Since the breach was first revealed by Krebs, First American admitted that a design defect in one of its applications exposed the private information of its customers. Following reports of the breach, First American stated:
“First American has learned of a design defect in an application that made possible unauthorized access to customer data. At First American, security, privacy and confidentiality are of the highest priority and we are committed to protecting our customers’ information. The company took immediate action to address the situation and shut down external access to the application. We are currently evaluating what effect, if any, this had on the security of customer information. We will have no further comment until our internal review is completed.”
First American then hired an independent security forensic company and, upon determining there was unauthorized access to private information, First American shut down external access to the application.
While experts are uncertain as to when the data breach first began, the exposed documents date back to at least 2003 and were made available to the public without any security protection on the First American website.
Furthermore, First American allowed the breach to occur despite it being caused by a common website design error known as Insecure Direct Object Reference, which occurs when a link to a webpage with sensitive information is created and intended to only be seen by a specific party, but there is no method to actually verify the identity of the person visiting the link. As a result, anyone who discovers a link to one document can view it and any other similar document just by editing the link.
To explain: First American provided persons authorized to access specific documents by providing them with a URL to access the authorized documents on its website. That URL might end in “DocumentlD= 000000075.” Once that URL is obtained, anyone can access a different document which they are unauthorized to view by merely altering the numbers appearing at the end of the URL, for instance, by typing in the URL and ending it with “DocumentlD=000000076.”
When announcing the breach, Krebs suggested that an identity thief could obtain all of the records through either “a low-and-slow or distributed indexing of this data [and it] would not have been difficult for even a novice attacker” to obtain.
Moreover, websites, such as archive.org, have accessed and archived the records, which provides additional access of these records and further publishes them to the general public. Even more alarming, given the manner in which First American exposed the records, it is almost certain that web crawlers and/or spider bots, such as those that index pages for Google, have accessed and indexed these records making them available for identity thieves, regardless of how those affected responded to being informed of the data breach. In short, it is too late for anyone whose data may have been exposed to take steps to prevent the data from being stolen.
If you’re a First American customer or think you were party to a transaction that also involved the company, unfortunately, you have limited options to protect yourself against the possibility that your data was stolen in this breach. Keep a close eye on your bank and credit card statements to identify possible suspicious activity that may be connected to potential identity theft. You may consider signing up for a credit monitoring service if you are not signed up with one already. You can also consider freezing your credit if you suspect that your data is being used maliciously.
Because of the breadth of the breach and the sensitive nature of the data that may have been stolen, as a First American customer, you may be eligible to join a class action lawsuit currently being pursued against the company. Brian Chase of the California-based Bisnar Chase law firm is representing a large number of plaintiffs whose data may have been accessed or stolen by malicious actors.
Armed with the private identifying information from these records, hackers can sell the information to other thieves or misuse them to commit a variety of crimes that harm victims of the breach. For instance, they can:
As a result of First American’s willful failure to prevent the data breach, victims are more susceptible to identity theft and have experienced, will continue to experience, and face an increased risk of financial harms, in that they are at substantial risk of identity theft, fraud, and other harm.
To see if your data was hacked, call 888-333-2350 or fill out the contact form on this page. You may be eligible to join our class action lawsuit!
This page may be deemed Attorney Advertising. The law firm of Bisnar Chase has a main office located at 1301 Dove Street, #120, Newport Beach, CA, 92660, with additional office in Los Angeles, Riverside and San Bernardino. Bisnar Chase serves all of California. In addition, they represent clients in various other states through our affiliations with local law firms. Through the local firm, they will be admitted to practice law in their state, pro hac vice.