in

193 Law Firms – Advanced Data Breach Disclosure Update

4th May 2020, TurgenSec Limited, Public Statement v2.02

TurgenSec discovered a data breach at a legal software provider affecting over 190 law firms, including three magic circle law firms. We posted our public statement of the matter on the 27th of April. It has come to our attention that the identities of the owner of the database and affected parties are now public knowledge (FT Article).

Archive of statement updates:

Update – 6th May 2020

In order to reduce as much as possible the need to interact with what could be unauthorised information, we have various methods that allow our security researchers to profile the extent of a data breach without being exposed to the raw data itself. This includes: Table column header extraction, row metadata (character count, number of entries).

The meta data we gathered on this database indicates that some of the information labeled as authentication data was more than 3 characters long. We cannot speak for the number of entries that were more than 3 characters or what they contained. We encourage Advanced to conduct forensics with an independent partner to ascertain the true magnitude of the breach.

We also encourage Advanced to publicly address this breach and inform clients and potential new clients what they are doing to make sure a data incident like this does not happen again.

Purpose of this Statement | Corporate Disclosure Goals

  • Promoting verifiable transparency on the principle that organizations and individuals have a right to know what has been breached about them in objective and precise terms.
  • Through transparency, allowing individual and organizational consumers to make informed decisions on who to trust with their sensitive data.
  • Bringing attention to the wider debate of why breaches need transparency to reduce the costs of all involved.
  • Ensuring false information concerning this data breach cannot be used to manipulate, extort, sue or otherwise harm the involved parties or TurgenSec itself.

Our security researchers discovered a potentially sensitive open database accessible to anyone with a browser and internet connection.

Note: Our team interacted with an open server. We do not use unauthorised credentials, brute force password guessing or any other unlawful process. We obtained sufficient information to understand the nature of the data and to contact relevant parties.

Terminology

Henceforth, the following applies:

  • Advanced Computer Software Group Limited will be referred to as Advanced.
  • TurgenSec Ltd will be referred to as TurgenSec.

Summary of Events

Further details available in Appendix C.

  • Our security researchers discovered a potentially sensitive open database accessible to anyone with a browser and internet connection.
  • The database appeared to potentially contain some personal & potentially sensitive information and activities of the staff and clients of law firms, as well as a software company.
  • We made efforts to identify the owner of this database, but were unable to do so with a high degree of confidence.
  • We suspected that the database may belong to a government agency or service and so we stopped triaging and informed the NCSC.
  • We worked with the NCSC and government connections to ensure that the owner was not a public agency.
  • We confirmed that the database was not government owned, but we could still not identify the owner of the database with certainty.
  • In line with our responsible disclosure policy we contacted the impacted firms, who worked with us to identify the owner and close the database.
  • A number of law firms impacted confirmed with us that the database likely belonged to the Laserforms Hub which is owned/run by Advanced Computer Software Group Limited.
  • Given a high level of confidence that Advanced were the owners of the database, we established a line of communication with those responsible for the database, who subsequently closed the database, and instructed us they did not want any further business with us or to be involved in any public statement.
  • The Financial Times contacted TurgenSec informing us that they knew that the software company in question was Advanced, and from our first statement that we had been the ones to discover it. The reporter had spoken to Advanced and confirmed to us that according to Advanced, the data was public record and of little significance, and they were going to run a story. 
  • TurgenSec issued its second public statement, in line with our Disclosure Policy and EC1 Ethics and Culture form.

Due to the sensitive nature of the data, we judged there to be a high likelihood of harm to the individuals and organizations involved. Therefore our first priority is always to ensure the owners of the database are informed so that they can close the database.

Secondly, since this data had been exposed for an extended period, our intention was to ensure that those affected were informed of the breach so they could act appropriately to protect themselves. Our experience has taught us that breached data of this nature usually ends up in the wrong hands.

TurgenSec, working in line with its Responsible Disclosure Policy, triaged the database and contacted the NCSC. Over the next few weeks the database remained accessible to the public while we liaised with the NCSC and with the organisation to whom we believed the database belonged (Companies House); they later advised us that the database was not theirs.

As we were unable to identify the owner with a reasonable degree of certainty, and the database remained accessible (able to be accessed by those with malicious intent), we therefore proceeded in line with our policy. We contacted a minority of the impacted firms, provided them with redacted evidence, and worked with them to identify the correct owner.

Impact

The set of databases identified by TurgenSec appears to contain information relating to the staff of legal firms, and in some cases, potentially sensitive data relating to authentication on behalf of clients.

All firms had staff data breached. Potentially sensitive headers observed included:

  • id
  • UserName 
  • HashedPassword
  • Organisation
  • FriendlyName
  • PlatformAdmin

Of the firms whose documentation was included in the breach, potentially sensitive headers observed included:

  • Name
  • Address
  • BirthTown
  • TelNumber
  • NINumber
  • PassportNumber
  • MothersMaidenName
  • EyeColour
  • FathersFirstName
  • CompanyDetails
    • CompanyType
    • CompanyName
    • CompanyAuthenticationCode
    • ContactName
    • ContactNumber

Extensive details of transactions, payment terms and client agreements are believed potentially to be contained within the database. See Appendix A for details of the exposed database fields, and Appendix B for details of the firms we believe are affected by this breach.

Afterword

This breach is an important case study in the wider debate of responsible disclosure and how companies should behave to encourage a positive cyber security research culture. Due diligence is not a box that can be ‘checked’ once and left thereafter, nor should Cybersecurity analysis be missing from this process – a problem we address in our Exosystem Monitoring solution. 

Disclosing breaches to companies is not without risk. In the past well-meaning security researchers looking to help have been threatened with prosecution. That said, to our knowledge, no ethical hacker has been successfully prosecuted under the Computer Misuse Act 1990 since it came into force.

No hacking or offensive techniques were utilised to discover the data; at the time of data access, any user with a web browser and internet connection would have been able to access the data in the database. This data was discovered during R&D for TurgenSec’s DataShadow product.

There was no legal obligation for us to disclose this breach. Choosing to disclose this breach is at our own risk, and to the immediate and ultimate benefit of the people and organisations impacted. To assist these individuals and organisations, we provide the column headings of the breached data in Appendix A. This allows those impacted people and organisations to assess the scope of the breach and where appropriate, exercise their legal rights and incident response plans.

Going forward we hope that companies in the UK and internationally will follow the lead of the National Cyber Security Centre and encourage security researchers to disclose their findings without fear of entering a high risk, no reward situation. We believe that such a culture shift would dir ectly benefit the UK & international community through the global reduction of cyber crime.

Appendix A – Field headers

 Primary data (available for all firms affected)

  • id
  • UserName
  • HashedPassword
  • Organisation
  • FriendlyName
  • PlatformAdmin

In addition to the above, the following information was available within some of the databases:

Form Data

  • id
  • FormName
  • CompanyDetails
  • CompanyDetails.CompanyNumber
  • CompanyDetails.CompanyType
  • CompanyDetails.CompanyName
  • CompanyDetails.CompanyAuthenticationCode
  • CompanyDetails.ContactName
  • CompanyDetails.ContactNumber
  • ClientReference
  • AuthenticationItems
  • AuthenticationItems.BirthTown
  • AuthenticationItems.TelNumber
  • AuthenticationItems.NINumber
  • AuthenticationItems.PassportNumber
  • AuthenticationItems.MothersMaidenName
  • AuthenticationItems.EyeColour
  • AuthenticationItems.FathersFirstName
  • ExistingChargeKey
  • ChargeCreationDate
  • DescriptionOfInstrument
  • ParticularsOfProperty
  • ChargeCode
  • Satisfaction
  • PartCeaseRelease
  • FullCeaseRelease
  • AssetsDescription
  • Name
  • Name.Forenames
  • Name.Surname
  • Address
  • Address.CareOf
  • Address.PoBox
  • Address.Premise
  • Address.Street
  • Address.Thoroughfare
  • Address.PostTown
  • Address.County
  • Address.Country
  • Address.PostCode
  • InterestInCharge
  • FormCode
  • FormName
  • LastSavedDate
  • Language
  • Users
  • Status
  • PreArchivedStatus
  • FailureMessage
  • LastSubmission.SubmissionNumber
  • LastSubmission.SubmittedDateTime
  • LastSubmission.RejectionInfos
  • LastSubmission.CertificateRequestKey
  • LastSubmission.DocumentsUrl
  • FormCode
  • MostRecentSubmitter
  • Destination
  • FailureCount
  • Destinations
  • Url
  • Username
  • Password
  • Domain
  • ApiKey
  • Database
  • TransitiveReplicationBehavior
  • IgnoredClient
  • Disabled
  • ClientVisibleUrl
  • SkipIndexReplication
  • Source
  • id
  • FormName
  • ChargeCreationDate
  • Chargees
  • AdditionalChargees
  • Description
  • FixedChargeOrSecurity
  • FloatingCharge
  • FloatingChargeCoversAll
  • NegativePledge
  • TrusteeStatement
  • DeedCertificationStatement
  • DeedCertifiedBy
  • DeedRedacted
  • Attachments
  • PropertyAcquire

Appendix B – Firm names

Affected Parties (with primary data and potentially form data) in Alphabetical Order:

Aaron and Partners K and L Gates
Addleshaws Keystone Law
Apex Law Lester Aldridge
Baker McKenzie Levi Solicitors
Banner Jones Mills Reeves
Bawtrees Myerson
Charles French Co Olswang LLP
Chattertons Legal Services OTB Eveling
Clifford Chance Parry Law
Dentons UKMEA Philip J Hammond
Dickson Minto Pinsent Masons
DLAPiper Shakespeare Martineau
Field Fisher Slaughter and May
Fraser Dawbarns Stephensons
Hewitsons Sylvester Amiel Lewin And Horne
Higgs and Sons Talbots Law
Hogan Lovells The Endeavour Partnership
Hopkins Solicitors Thursfields LLP
Howes Percival TWM Solicitors
Ian C Free Solictors Wedlake Bell
JCP Weil Gotshal Manges
JMW Solicitors White Case
Winckworth Sherwood

Databases with potentially limited content (with primary data):

Abdul Sattar Ali Fletcher Co Ocean Property Lawyers
Addis Law Forshaws Davies Ridgway Oglethorpe Sturton Gillibrand
Adrian Stables Fox Williams Ormrod Solicitors
Akin Palmer Solicitors Fulchers Farnborough Pepperells
Alister Pilling Gamlins Petrou Law
Alletsons GCL Solicitors Phillips Solicitors
Amy And Co Geldards Pickering and Butters
Baines Wilson Gilbert Stephens Pini Franco
Barrington Law Partnership GillTurnerTucker Pitmans
Barrow and Cook Gosschalks Solicitors Portcullis
Batchelors Greenwoods Solicitors Read Dunn Connell
Berry Lamberts Hague Lambert Richard Kanani
Berwin Leighton Paisner Hamstead Law Practice Richard Pearlman
Betteridges Hartley Worstenholme RJR Solicitors
Birkett Long Hawkins Hatton Robertsons Legal
Blackett Hart Pratt LLP Hawkins Ryan Rutherford
BLegalSolicitors Henry Cane And Son Salehs
Borneo Martell Turner Coulston Hill Hofstetter Limited SBP Law
Bourne Jaffa Hudson Taylor Seatons Law
Bowling Co Ison Harrison Sharman Law
Boyce Hatton Janet Auckland Shentons
Bramhall Solicitors John Fowlers Sheridan And Stretton
Brighouse Wolff JS Law Sherrards
Brook Street des Roches JWK Sills Betteridge
BSG Solicitors Kapasi And Co Sintons
Bude Nathan Iwanier Kersey Solicitors Title
Campions Kings Solicitors Somerville Savage
Charles Platel Law Kingswell Watts Southerns
CitrusConveyancing Knights Solicitors LLP Spicketts Battrick
Clutton Cox Lanyon Bowdler SS Live
CMSCMNO Lawrence Stephens Solicitors Stan Baring
Cocks Lloyd Lewis Francis Blackburn Bray Steinbergs Solicitors
Collas Crill Lindsay Sait Turner Straw And Pearce
Cooke Painter Linklaters Sullivan Cromwell
Cowlishaw Mountford Lupton Fawcett LLP Sydney Mitchell
Crossmans Solicitors Maclachlan Solicitors Sydney Mitchell Solicitors
CSConveyancing Matwala Vyas Taylor Vinters
Curry Popeck Mc Garry and Co Taylor Wessing
Curtis Parkinson Merritts Solicitors Theobald Associates
DDO Solicitors Millichips TQ Solicitors
Dean Thomas Mishcon De Reya Turner Parkinson Solicitors
Dobbs Drew Property Lawyers MJP Conveyancing W Davies
Druces LLP MLP Law Walter Saunders
DTM Legal Moore Blatch Wartnaby Hefford
Duncan Rann Morecrofts Watson Farley Williams
DW Gallifant Mowll Widdows Pilling Co
E and K Solicitors Napthens Wilde Law
Ellis Fermor Negus Nath Solicitors Williams Beales Co
FDC Law NCC Wiseman Lee
Field Fisher Finance Nelsons YVA Solicitors LLP
Field Seymour Parkes Nelsons Legal

Appendix C – Communications Log

Communications log:

  • February: Our security researchers discovered what appeared to be a sensitive open database accessible to anyone with a browser and internet connection. We made efforts to identify the owner of this database, and believed it to be owned by Companies House.
  • February: We contacted the NCSC, since a Companies House breach would be a matter of national security.
  • 28th February: We contacted [email protected] with details of what we believed to be a personal data leak, stating we had found worrying exposed information, were working to figure out who the owner was to get it closed, and that we had not reported it to any of the law firms in question. We sent over:
    • Names of all the law firms involved.
  • 1st April: We received confirmation that the breach did not pertain to Companies House. We continued identification efforts to no avail.
  • 14th April: We contacted the impacted firms, who worked with us to identify the owner.
  • 14th April: A number of law firms confirmed with us that the database likely belonged to the Laserforms Hub which is currently owned/run by Advanced Computer Software Group Limited.

At this point, the data controller was believed to be Advanced, so we sought to establish a line of communication with Advanced so the database could be protected. We also prepared draft statements to be ready to respond to any unexpected events quickly.

  • 16th April – TurgenSec reached out to Advanced providing them with our responsible disclosure policy among other information.
  • 22nd AprilAdvanced replied acknowledging the receipt of our email and informing us an investigation was ongoing. 
  • 22nd April – TurgenSec re-sent its responsible disclosure policy requesting the DPO, who replied to us from Advanced confirming they had read our policy. TurgenSec  requested to be involved in the public disclosure stating: “As the discovering party in this breach we wish to be involved in the public disclosure process.“
  • 22nd April – TurgenSec called Advanced via a mobile and got through to the person whose line manager is handling the data breach. TurgenSec was informed they would be called back the same day. Advanced noted the mobile number used to call.
    • Advanced did not call the mobile number back.
    • TurgenSec was not provided with a direct number.
  • 22nd April – TurgenSec called again at 16:51 and did not get through.
  • 23rd April – TurgenSec called Advanced and was informed the individual dealing with the data breach was on a call and would call us back the same day. 
    • Advanced did not call TurgenSec back. 
  • 24th April – The compliance team at the Advanced called a TurgenSec director to discuss the breach telling us they would send us a formal response on the 24th or 27th of April, stating that they did not need to inform the ICO and that they had informed affected parties.
    • Advanced informed us that they had told all affected law firms of the data breach, and provided them with copies of the breached content.
  • 27th AprilAdvanced responded to TurgenSec with a written response stating that they did not wish to work with us and that we did not have permission to use their name in our breach disclosure. 
  • 27th April – TurgenSec issued its public disclosure with significant amounts of detail redacted, such as the name of the data controller. This statement was issued in line with the Ethical & Business Goals of TurgenSec.
  • 29th April – The Financial Times contacted TurgenSec informing us that they knew that the software company in question was Advanced, and from our first statement that we had been the ones to discover it.
  • 29th April – The Financial Times informed TurgenSec that Advanced stated the data was public record and of no significance. For this reason we are happy to release the field headers and names of firms, in Appendices A & B.
  • 4th May: TurgenSec issued its second public statement with, in line with our Disclosure Policy and Company Ethics & Business Goals.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Loading…

0