FIRST AMERICAN FINANCIAL CORPORATION ; FIRST AMERICAN TITLE COMPANY
Defendant Name: BEN DINH, individually, and on behalf of all others similarly situated
Case Number: 8:19-cv-01105-AG-DFM
Court: UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA
Practice Area: Class Action
Status: Active; Jury Trial Demanded
Date Filed: 06/04/19
Documents: Original Complaint (PDF)
Think you have a case? Contact us using the form above to have a class action specialist contact you.
Details of the First American Data Breach
On May 24, 2019, cybersecurity researcher Brian Krebs announced that First American published on its website more than 885 million sensitive mortgage documents (the “Data Breach”). These documents contained the confidential, private information of Plaintiff and putative Class members including, but not limited to, their names, email addresses, mailing addresses, dates of birth, social security numbers, bank account numbers, lender details, mortgage and tax records, driver’s license images, and other personal information (collectively, “PII”).
Since the Data Breach was first announced by Brian Krebs, First American has admitted that a design defect in one of its applications exposed the PII of its customers. Based on information and belief, First American hired an independent security forensic company and upon determining there was unauthorized access to Plaintiff and Class member’s PII, First American shut down external access to the application.
While it is unclear when the Data Breach first began, the exposed documents date back to at least 2003 and were made available to the public without any security protection on the First American website. For instance, no username or password was required to view Plaintiff and Class members’ PII, and the webpage lacked industry standard-two factor authentication
The Disappointing Web Design Error that Caused the Data Breach
Most disappointing is that First American allowed the Data Breach to occur, despite it being caused by a relatively common website design error called Insecure Direct Object Reference, which occurs when a link to a webpage with sensitive information is created and intended to only be seen by a specific party, but there is no method to actually verify the identity of who is viewing the link.
CLASS ACTION ALLEGATIONS
First American is the largest title insurance company in the United States, earning $5.3 billion per year in revenue from selling title insurance and other closing services. As Forbes noted in 2006, First American prices its title insurance at 1,300% above its margin cost. The average policy with First American (in 2006) cost about $1,500 but running a title search—now that records are digitized—costs as little as $25. And First American pays only about $75 per policy to pay claims.
Customers believe that—at a minimum—the large sum they pay towards title insurance buys them security and peace of mind that their sensitive documents will be securely stored. As Ben Shoval, the man who discovered the First American breach, explains: “The title insurance agency collects all kinds of documents from both the buyer and seller, including Social Security numbers, driver’s licenses, account statements ... You give them all kinds of private information and you expect that to stay private.”