Data owned by 193 law firms exposed via unsecured Advanced database

Data owned by 193 law firms exposed via unsecured Advanced database

Insurance software provider Vertafore exposed PII of 27.7m US citizens

An unsecured online database owned by leading UK software provider Advanced recently exposed personal & potentially sensitive information belonging to 193 law firms that used Advanced's Laserforms Hub.

The exposed database was discovered by technology firm TurgenSec in February this year who observed that the database was accessible to anyone with access to Internet connection and a browser. The database contained personal & potentially sensitive information and activities of staff and clients of law firms and a software company.

With help from the National Cyber Security Centre, TurgenSec found that the database was not government-owned and came to know from some impacted law firms that the database belonged to Laserforms Hub which is owned and operated by Advanced Computer Software Group Limited.

“Due to the sensitive nature of the data, we judged there to be a high likelihood of harm to the individuals and organisations involved. Therefore our first priority is always to ensure the owners of the database are informed so that they can close the database. Since this data had been exposed for an extended period, our intention was to ensure that those affected were informed of the breach so they could act appropriately to protect themselves,” said TurgenSec in a blog post.

After the data exposure was reported by TurgenSec to Advanced, the software provider closed public access to the database but refused to cooperate with the firm to issue any public statement about the breach.

Organisations must have data retention policies that are granular with respect to personal information

According to TurgenSec, the exposed database contained information related to the staff of legal firms and sensitive data relating to authentication on behalf of clients as well as usernames, IDs, hashed passwords, names of organisations, and details of platform administrators.

For some of the firms, potentially sensitive information like names, addresses, phone numbers, birth towns, passport numbers, NI numbers, eye colour, mother’s maiden names and father’s first names were compromised.

Information like company type, company name, contact name, contact number and company authentication code were also stored in the exposed database. Extensive details of transactions, payment terms and client agreements were believed to be a part of the database as well.

“This breach is an important case study in the wider debate of responsible disclosure and how companies should behave to encourage a positive cyber security research culture,” TurgenSec added.

Following this discovery, Darren Wray, CTO at Guardum, told TEISS that “this incident further demonstrates the need for organisations and particular SaaS and data hosting services to have a data retention policy that is granular in respect to personal information. I don't think that many of the people who provided this personal information would expect it to still be stored and available three years after it was provided, particularly information that can't be changed like eye colour and names of parents.

“In order to overcome this problem, organisations can benefit from finding and redacting personal information in documents and other unstructured forms, whilst leaving the rest of the document usable and accessible. Companies taking this approach can protect themselves and their customer's data as well as maintaining compliance with GDPR and other national and international data protection and cyber security laws,” he added.

ALSO READ: Unsecured database exposed 7.5m data records of Adobe Creative Cloud users

Copyright Lyonsdown Limited 2020

Top Articles

Malaysia Airlines flyers impacted in 9-year-long supplier data breach

Malaysia Airlines has suffered a major breach that compromised personal data records of its frequent flyer customers for over nine years.

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

How the human immune system inspired a new approach to cyber-security

Artificial intelligence is being used to understand what’s ‘normal’ inside digital systems and autonomously fight back against cyber-threats

Related Articles