U.S. real estate title insurance company First American Financial Corp said on Friday it had learned of a design defect in one of its production applications that had made possible unauthorized access to customer data.
The statement was sent in response to a report by security news website Krebs on Security, which said First American's website had exposed about 885 million files dating back to 2003.
First American said it had shut down access to the application and was evaluating the impact of the defect.
"We are currently evaluating what effect, if any, this had on the security of customer information. We have hired an outside forensic firm to assure us that there has not been any meaningful unauthorized access to our customer data," First American said in an emailed statement.
Digitized records including bank account numbers and statements, mortgage and tax records, social security numbers, wire transaction receipts, and drivers license images were available without authentication to anyone with a web browser, according to the Krebs on Security report.
The report added that there was no information on whether fraudsters had been aware of the exposure.
First American Financial shares fell 2.2 percent to $54.05 in after-market trading.