back to article US insurers face SEC probe over web-access bungle that exposed 'up to 885 million' files

The American Securities and Exchange Commission is said to be investigating a US insurance company that allegedly left 885 million personal records accessible "without authentication to anyone with a web browser". As revealed by infosec journalist Brian Krebs in May this year, First American Financial Corporation was said to …

  1. Pascal Monett Silver badge

    885 million

    Yes, we are on track for the billion-person data leak.

    Everything is proceeding as planned.

    1. vtcodger Silver badge

      Re: 885 million

      Entering quibble-mode:

      885,000,000 is rather a large number -- 16% of the population of the planet ... give or take a bit. I suspect that what was intended was either 885,000 persons or, probably more likely, 885,000,000 sequentially numbered transaction records including data on an unknown number of entities.

      1. eldakka Silver badge

        Re: 885 million

        probably more likely, 885,000,000 sequentially numbered transaction records including data on an unknown number of entities.

        32 entities if the company is to be believed.

        That means it generates 27,656,250 unique records per customer on average.

        1. Michael Wojcik Silver badge

          Re: 885 million

          That's bureaucracy for you, I suppose.

          Personally, I confess I stop reading after the first few thousand, and just sign the rest on faith.

  2. Anonymous Coward
    Anonymous Coward

    And these...

    Are the very companies Trump wants to force down our necks as soon as we uncouple from the EU!

  3. adam payne Silver badge

    First American's document identification numbers were sequential

    Please tell me someone got the bullet for this?!?!

    First American issued a statement claiming that it had identified just 32 customers whose "non-public personal information" was "likely accessed without authorisation", and offered them free credit-monitoring services.

    That is still 32 more than there needed to be.

    So you make everything better you offered the 32 people credit monitoring for a year, go you.

    1. Bronek Kozicki Silver badge

      I suspect they must have a very loose definition of what "with authorization" means. Otherwise that figure would be just a bit larger, by few orders of magnitude.

    2. DJO Silver badge

      It's a good thing criminals are too dumb to wait a year before trying to exploit the stolen data.

      Either monitoring should be supplied free for life or all personal information such as account, SSI, Driving licence numbers should be changed at the companies expense.

    3. Mark 85 Silver badge

      That is still 32 more than there needed to be.

      True, but article states that originally it was 16 and is now 32. Seems to be progressing or they've missed a few zeros in the number.

      1. Ken Moorhouse Silver badge

        Re: article states that originally it was 16 and is now 32

        The investigation is progressing - bit by bit.

      2. Michael Wojcik Silver badge

        Alas, it was originally 14 and is now 32, somewhat spoiling the joke.

        It's still a great example of the Big Lie, though. Someone at First American has balls.

  4. SVV Silver badge

    First American Financial Corporation

    And the Second American, and the Third......

    I'm betting this was a REST application, or possibly one of the shonky server side Javascript frameworks, and their application "architecture" was based on a simple "Getting Started : How to Easily Create an Application in Five Minutes" example, which just passes ids in URLs rather than actually implementing things in a secure way. Seen a number of similarly stupid examples myself in the past decade - my favourite response when I raised the issue with a "senior developer" was being told that it didn't matter that the id was in the URL, because requests were encrypted using https, so nobody could see them! Doh!

  5. Anonymous Coward
    Anonymous Coward

    Document 4? Everybody has document 4.

    At a certain company I worked for, I gave every customer its own sequence generator. The feature was for those special people on the front-end team who appeared to be committing espionage, or at least had an abnormally high number of OWASP Top-10 bugs despite training. It was no longer possible to access anything without reading the user ID from the secure identification token. (They found other ways to make security "mistakes" and were shown the door)

  6. Anonymous Coward
    Anonymous Coward

    Moore Breeches?

    Does Moore's Law apply to data breeches?

    1. eldakka Silver badge

      Re: Moore Breeches?

      Does Moore's Law apply to data breeches?

      No, but it does apply to shirts.

      1. Anonymous Coward
        Anonymous Coward

        Re: Moore Breeches?

        "No, but it does apply to shirts."

        Made me giggle.

        I'd offer you a pint (icon) if I wasn't Anon.

  7. Anonymous Coward
    Anonymous Coward

    How come web sites with nothing important

    Seem to generate URLs with dozens and in a few cases I've seen HUNDREDS of characters of gibberish, and an insurance company with personal information to protect use sequential numbers in theirs?

    Outsource to the lowest cost provider, who hired the lowest cost offshore team, who were probably freshly out of "college" but faked their degrees to get the entry level IT job and this is what you get, I suppose.

  8. Anonymous Coward
    Anonymous Coward

    there appears to be zero limit on "stupid" when it comes to organizational IT security. I'll bet your average Win 10 home computer with Windows Defender running by default is more secure than the average corporate server.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020