A proposed class action claims that First American Financial Corporation (FAFC) failed to adequately protect customer data when a “reckless” website design flaw left millions of financial records exposed to the public.
According to the lawsuit, the defendant in May 2019 admitted to a “defect” in its website that allowed Internet users to access any of the title insurance company’s online files.
“The only action required to exploit the vulnerability in FAFC’s website was tweaking a single digit in the address of a file,” the suit explains. “No password or other login credentials were required to access all of FAFC’s customers’ files and Personal Information.”
This defect reportedly allowed unauthorized parties to access customers’ names, bank account information, mortgage records, Social Security numbers, and other sensitive data without hacking or providing any login credentials.
Prior to this exposure, the defendant apparently promised on its website that it was committed to safeguarding private information and reassured customers that it would comply with data security requirements. However, the company failed to disclose its “gross security inadequacies,” the complaint says, arguing that customers received a “less valuable service than the one paid for.”