First American Financial Corporation
And the Second American, and the Third......
I'm betting this was a REST application, or possibly one of the shonky server side Javascript frameworks, and their application "architecture" was based on a simple "Getting Started : How to Easily Create an Application in Five Minutes" example, which just passes ids in URLs rather than actually implementing things in a secure way. Seen a number of similarly stupid examples myself in the past decade - my favourite response when I raised the issue with a "senior developer" was being told that it didn't matter that the id was in the URL, because requests were encrypted using https, so nobody could see them! Doh!