A leading UK software company exposed personal information belonging to over 190 law firms through an unsecured online database. TurgenSec security firm discovered the breach but could not immediately identify the owner of the online database and therefore contacted the National Cyber Security Centre (NCSC). Following the Responsible Disclosure Policy, the firm contacted the affected law firms who confirmed the data leak came from legal documents hosted by Laserform Hub owned by Advanced Computer Software Group Limited. The database was accessible online to anybody with a browser and internet connection. Advanced claimed the details exposed were largely of public records and resorted not to report the leak.
The information exposed by the leaked legal documents
The information exposed by the data breach included details belonging to the staff of the law firms. The information uncovered in the data leak could be deemed sensitive or special and included details such as hashed passwords, legal documents, passport numbers, mother’s maiden name, and eye colors. The law firms affected had both their “primary” and “form” data leaked.
Primary data includes details such as user names, IDs, and hashed passwords, while form data contains records such as authentication codes, company details, and service charges.
The data leak exposed 10,000 legal documents of about 190 law firms for years before TurgenSec discovered the data security flaw.
Major law firms affected by the leak
The Financial Times reports the data leak includes data from “three magic circle law firms.” TurgenSec also published the comprehensive list of the affected law firms in its update of the data leak timeline. Some of the notable law firms whose legal documents were leaked include Clifford Chance, and Slaughter and May.
Advanced Computer Software Group downplayed the data leak
Justin Young, director of security and compliance at Advanced, said the information revealed in the data leak was of public domain and published by Companies House. He added that some of the fields were blank and the rest contained only the first three letters. Young said sensitive information such as business email addresses, passwords, and security verification responses had been left out. The director of security also said the passwords were in hashed form and there was very little discernable information from the legal documents exposed in the data leak. His company has not reported the data leak to the ICO citing independent legal advice and the nature of the data compromised.
After TurgenSec established the database belonged to Advanced and tried to make contacts with the owners of the database, the software company was unresponsive. Advanced later sent a written statement informing the cybersecurity firm that it had no right to associate the data leak with the company’s name.
Despite the rebuff by Advanced, it is unlikely law firms could publish legal documents including hashed passwords or first three letters of security responses. The first three letters are highly discernable, especially when it involves places and names. It could also give hackers hints about the possible names, thus making it easy to perform brute force attacks. However, both Advanced and the law firms affected would possibly like the information leak to remain discreet to avoid breaking the trust of their clients.
Update (May 19, 2020): Removed Linklaters from list of affected law firms. A spokeswoman for Linklaters said the firm had only ever accessed a demonstration version of the affected service and that no client data had been used nor had the firm lost any sensitive or confidential data as a result of this incident.
Update (May 20, 2020): Corrected inaccuracies based on feedback.