First American Facing Class Action Lawsuit After Leak of 885 Million Customer Records

New to ClassAction.org? Read our Newswire Disclaimer

A data leak of upward of 885 million records is at the center of a proposed class action lawsuit filed against title insurance providers First American Financial Corporation and First American Title Insurance Company. 

To understand the significance of the data breach, it’s important to grasp the nature of the records hackers supposedly accessed through First American’s website. The 32-page suit out of California’s Southern District explains that First American’s title insurance protects both property buyers and mortgage lenders against issues and disputes that may arise with a title during a transfer of property ownership. Issuing title insurance, the suit continues, involves First American researching records to verify that the title is clean, a process that’s then followed by the defendants contracting with an underwriting company to issue the customer’s title insurance policy.

Needless to say, when a prospective homebuyer or seller signs on with First American, they must provide the company with a substantial amount of information, ranging from Social Security numbers and driver’s license images to bank account, mortgage and tax records, the case says. Despite First American allegedly guaranteeing its commitment to safeguarding customer information against unauthorized third parties, it was reported by renowned data security expert Brian Krebs on May 24, 2019, that First American’s website leaked more than 885 million records. “[A]nyone who knew the URL for a valid document at First American’s website could view [the personally identifying information of any customer] just by modifying a single digit in the link,” Krebs reported. According to the lawsuit, this vulnerability went undetected “for an astonishing 16 years.”

First American, the lawsuit says, never notified homebuyers nor sellers that their information had been exposed.

The case goes on to say that after the publication of Krebs’ report, First American admitted that the security vulnerability was caused by “a design defect in one of its product applications,” and told Reuters via email that it was “currently evaluating what effect, if any, this had on the security of customer information.”

Thus far, First American has not notified its customers that their personally identifiable information has been exposed to unauthorized parties, the lawsuit states.