Ride the Lightning

Over 190 Law Firms Impacted by Data Leak

May 27, 2020

CPO Magazine reported on May 18 that a major UK software company exposed personal information belonging to over 190 law firms through an unsecured online database. TurgenSec security firm discovered the leak and contacted the National Cyber Security Centre (NCSC). Following the Responsible Disclosure Policy, the firm contacted the impacted law firms which confirmed the data leak came from legal documents hosted by Laserform Hub which is owned by Advanced Computer Software Group Limited. The database was accessible to anybody with a browser and internet connection. Advanced claimed the details exposed were largely of public records and did not report the leak.

The information leaked included details belonging to the staff of the law firms. The information could be deemed sensitive or special and included details such as hashed passwords, legal documents, passport numbers, mother's maiden name, and eye colors. The law firms affected had both their "primary" and "form" data leaked.

Primary data includes details such as user names, IDs, and hashed passwords, while form data contains records such as authentication codes, company details, and service charges.

The data leak exposed 10,000 legal documents of about 190 law firms for years before TurgenSec discovered the data security flaw.

TurgenSec published the list of the affected law firms in its update of the data leak timeline. Law firms whose legal documents were leaked included Clifford Chance and Slaughter and May.

Justin Young, director of security and compliance at Advanced Computer Software Group, said the information revealed in the data leak was in the public domain and published by Companies House. He added that some of the fields were blank and the rest contained only the first three letters. Young said sensitive information such as business email addresses, passwords, and security verification responses had been left out. The director of security also said the passwords were in hashed form and there was very little discernible information from the legal documents exposed in the data leak. The company did not report the data leak citing independent legal advice and the nature of the data compromised.

After TurgenSec established the database belonged to Advanced and tried to make contact with the owners of the database, the software company was unresponsive. Advanced later sent a written statement informing the cybersecurity firm that it had no right to associate the data leak with the company's name.

It is unlikely law firms could publish legal documents including hashed passwords or first three letters of security responses. The first three letters are highly discernible, especially when it involves places and names. It could also give hackers hints about the possible names, making it simple to perform brute force attacks. The post suggests that both Advanced and the law firms would rather not have the story revealed because it might impact how much clients trust the law firms.

I suspect there are many more breaches that have effectively been covered up for the same reason.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson