weerapat1003 - stock.adobe.com
A data exposure at Advanced Computer Software leaked thousands of legal documents affecting nearly 200 law firms.
According to TurgenSec, a London-based cybersecurity vendor, the data exposure affects more than 190 different law firms that use Advanced Computer Software products, which include applications designed for the legal industry. Exposed information includes staff data, logins with hashed passwords and in some cases various forms of personally identifiable information including everything from names and addresses to passport number, mother's maiden name and eye color.
TurgenSec initially discovered "what appeared to be a sensitive open database accessible to anyone with a browser and internet connection" back in February, according to the company's report. After initially believing the database was owned by Companies House, a U.K. government agency, TurgenSec researchers ultimately determined on April 14 that the database belonged to Laserform Hub, a company owned and operated by Advanced.
After initially contacting Advanced and being told an investigation into the data exposure was ongoing, TurgenSec said it tried and failed to establish a clear line of communication for two weeks, until "Advanced responded to TurgenSec with a written response stating that they did not wish to work with us and that we did not have permission to use their name in our breach disclosure."
"It was kind of sad that Advanced was unresponsive. It works out for everybody's benefit if it just gets dealt with and the full extent of it comes out immediately. Everybody, especially the data holders or the law firms in this case, can enact their incident response plans swiftly and take all of their legal or security steps they would appreciably want to do," Nathaniel Fried, co-founder of TurgenSec, told SearchSecurity.
Fried declined to provide any further details about the specific database that was exposed.
TurgenSec released its report of the data exposure with "significant amounts" of information redacted including Advanced's name. TurgenSec said two days later, The Financial Times contacted the vendor "informing us that they knew that the software company in question was Advanced."
After The Financial Times published its article on May 3, TurgenSec updated its report the following day with far more detail, including the names of affected law firms as well as Advanced as the owner of the database.
SearchSecurity contacted Advanced for comment on the matter. The company sent the following prepared statement from Justin Young, director of security and compliance at Advanced:
We discovered some exposed data on one of our historic software platforms and took immediate steps to address the issue, secure the data and make contact with the small number of affected customers.
The data in question related to commercial property transactions and was largely of public record [published via Companies House] and pre-dated 2017. The data which was not subsequently included in public records consisted of business email addresses, passwords and security verification responses.
The passwords on the affected platform were all in secure hashed form. The majority of security verification responses on the affected platform consisted only of the first three letters of the response only and therefore resulted in a very limited amount of additional information being discernible from the platform. None of the data is deemed sensitive or special category under current legislation. We have taken legal advice to verify our position.
Update: Following the publication of this article, Advanced Computer Software contacted SearchSecurity disputing a portion of this report. A company representative issued the following statement:
NI Number, Passport Number, Mothers Maiden name were not populated or stored. Birth Town, Tel No, Eye Colour and Fathers Name were as per below.
a. "BirthTown": "CHE" – Only the first three letters were stored on the system
b. "TelNumber": "0121" – Only the first four numbers were stored on the system
c. "NINumber": - This information was never stored on the system
d. "PassportNumber": - This information was never stored on the system
e. "MothersMaidenName": - This information was never stored on the system
f. "EyeColour": "BLU" – Only the first three letters were stored on the system
g. "FathersFirstName": "CHR" – Only the first three letters were stored on the system
When contacted by SearchSecurity, Fried said although TurgenSec no longer has access to the database, the company stands by its original report, which is "100% factual."
"As our statement update says, we request that Advanced hand over the data to a forensics company so that they can get a good idea of the extent of the data breached," he said.
Fried added that although certain data types only had three characters populated, such as birth town, eye color, and fathers' first name, personal data can still be extracted from those abbreviations. Therefore, he said, Advanced should have reported the data exposure to the U.K.'s Information Commissioner's Office.