We Have Met the Enemy and It Is Us

by Hank Berkley
Contributing Editor

In this blog we have written often about the need to assess levels of risk and to apply appropriate levels of security to them, but we have not mentioned a solution that should be at the top of everyone’s list of remedies. Eliminate the possible risk.

Last week First American Financial Corporation, a large provider of title insurance disclosed that it had inadvertently disclosed mortgage records, including social security and bank account numbers for 885 million records going back 16 years. There were no hackers involved or state sponsored villains. The causes of this data exposure were sloppy work and lack of proper planning.

The type of mistake that was in their website is one that a new programmer might make. It is one of the first weaknesses that a web tester would look for. This suggests that not only did First American not have experienced people building their web tools, but they lacked proper testing. Certainly, they never had an independent testing group ever look at their website. The error was first identified by an external user. 

Even worse, when the user notified First American of the problem, the reported vulnerability was ignored. It wasn’t until the user notified Brian Krebs, a well-known security researcher, who in-turn notified the company, that they paid any attention to the issue.

Regardless of the poor programming and lack of testing there is the basic question of why 16 years of data from a title insurance company were available on the internet. Was it a conscious decision to share all that data on the internet, even if proper security had been in place? Companies often focus on providing customers with self-help tools and then point those tools at the same, vast databases that are kept internally when a subset might be adequate.

If you use an online banking application, you will likely see that you can review only a limited number of past account statements or check images. This might help system performance, but it definitely limits the data that is being exposed. The bank has that data for at least 7 years as it is required by record retention regulations, but they require additional steps for non-employees to retrieve it.

There may be additional work necessary to segment data and doing so does not eliminate the need for proper cyber security processes; but it is the surest way to limit your exposure. When building systems there needs to be thought that goes into what data is needed by the people who will be using it. If you have a 10% customer turnover, you increase your potential exposure data loss by 10% for every unnecessary year of data you keep online. Perhaps you feel it is important to provide this service to customers, but did anyone ever ask the question BEFORE exposing the data? 

First American Financial demonstrated poor programming and a poor cyber plan that did not test their website. We don’t know why, but these were poor choices. They may have compounded their problem by choosing to put so much data online rather than segmenting what was needed internally from what was needed outside the company. It’s a step that is often overlooked in the name of speed of delivery or simplicity, but it is one that can be taken at any time. It might be worth asking the question of your existing systems. The answer could reduce any future loss you might incur.