An unsecured online database owned by leading UK software provider Advanced recently exposed personal & potentially sensitive information belonging to 193 law firms that used Advanced's Laserforms Hub.
The exposed database was discovered by technology firm TurgenSec in February this year who observed that the database was accessible to anyone with access to Internet connection and a browser. The database contained personal & potentially sensitive information and activities of staff and clients of law firms and a software company.
With help from the National Cyber Security Centre, TurgenSec found that the database was not government-owned and came to know from some impacted law firms that the database belonged to Laserforms Hub which is owned and operated by Advanced Computer Software Group Limited.
“Due to the sensitive nature of the data, we judged there to be a high likelihood of harm to the individuals and organisations involved. Therefore our first priority is always to ensure the owners of the database are informed so that they can close the database. Since this data had been exposed for an extended period, our intention was to ensure that those affected were informed of the breach so they could act appropriately to protect themselves,” said TurgenSec in a blog post.
After the data exposure was reported by TurgenSec to Advanced, the software provider closed public access to the database but refused to cooperate with the firm to issue any public statement about the breach.
Organisations must have data retention policies that are granular with respect to personal information
According to TurgenSec, the exposed database contained information related to the staff of legal firms and sensitive data relating to authentication on behalf of clients as well as usernames, IDs, hashed passwords, names of organisations, and details of platform administrators.
For some of the firms, potentially sensitive information like names, addresses, phone numbers, birth towns, passport numbers, NI numbers, eye colour, mother’s maiden names and father’s first names were compromised.
Information like company type, company name, contact name, contact number and company authentication code were also stored in the exposed database. Extensive details of transactions, payment terms and client agreements were believed to be a part of the database as well.
“This breach is an important case study in the wider debate of responsible disclosure and how companies should behave to encourage a positive cyber security research culture,” TurgenSec added.
Following this discovery, Darren Wray, CTO at Guardum, told TEISS that “this incident further demonstrates the need for organisations and particular SaaS and data hosting services to have a data retention policy that is granular in respect to personal information. I don't think that many of the people who provided this personal information would expect it to still be stored and available three years after it was provided, particularly information that can't be changed like eye colour and names of parents.
“In order to overcome this problem, organisations can benefit from finding and redacting personal information in documents and other unstructured forms, whilst leaving the rest of the document usable and accessible. Companies taking this approach can protect themselves and their customer's data as well as maintaining compliance with GDPR and other national and international data protection and cyber security laws,” he added.