TurgenSec discovered a data breach at a legal software provider affecting over 190 law firms, including three magic circle law firms. We posted our public statement of the matter on the 27th of April. It has come to our attention that the identities of the owner of the database and affected parties are now public knowledge (FT Article).

Archive of statement updates:

• 27th April 2020 – V1.0 Released
• 4th May 2020 – V2.0 Released
• 4th May 2020 – Amended and clarified.
• 4th May 2020 – Amended and clarified.
• 4th May 2020 – FT article anchor text.
• 6th May 2020 – Spelling correction
• 6th May 2020 – Meta data analysis

Update – 6th May 2020

In order to reduce as much as possible the need to interact with what could be unauthorised information, we have various methods that allow our security researchers to profile the extent of a data breach without being exposed to the raw data itself. This includes: Table column header extraction, row metadata (character count, number of entries).

The meta data we gathered on this database indicates that some of the information labeled as authentication data was more than 3 characters long. We cannot speak for the number of entries that were more than 3 characters or what they contained. We encourage Advanced to conduct forensics with an independent partner to ascertain the true magnitude of the breach.

We also encourage Advanced to publicly address this breach and inform clients and potential new clients what they are doing to make sure a data incident like this does not happen again.

Purpose of this Statement | Corporate Disclosure Goals

• Promoting verifiable transparency on the principle that organizations and individuals have a right to know what has been breached about them in objective and precise terms.
• Through transparency, allowing individual and organizational consumers to make informed decisions on who to trust with their sensitive data.
• Bringing attention to the wider debate of why breaches need transparency to reduce the costs of all involved.
• Ensuring false information concerning this data breach cannot be used to manipulate, extort, sue or otherwise harm the involved parties or TurgenSec itself.

Our security researchers discovered a potentially sensitive open database accessible to anyone with a browser and internet connection.

Note: Our team interacted with an open server. We do not use unauthorised credentials, brute force password guessing or any other unlawful process. We obtained sufficient information to understand the nature of the data and to contact relevant parties.

Terminology

Henceforth, the following applies:

• Advanced Computer Software Group Limited will be referred to as Advanced.
• TurgenSec Ltd will be referred to as TurgenSec.

Summary of Events

Further details available in Appendix C.

• Our security researchers discovered a potentially sensitive open database accessible to anyone with a browser and internet connection.
• The database appeared to potentially contain some personal & potentially sensitive information and activities of the staff and clients of law firms, as well as a software company.
• We made efforts to identify the owner of this database, but were unable to do so with a high degree of confidence.
• We suspected that the database may belong to a government agency or service and so we stopped triaging and informed the NCSC.
• We worked with the NCSC and government connections to ensure that the owner was not a public agency.
• We confirmed that the database was not government owned, but we could still not identify the owner of the database with certainty.
• In line with our responsible disclosure policy we contacted the impacted firms, who worked with us to identify the owner and close the database.
• A number of law firms impacted confirmed with us that the database likely belonged to the Laserforms Hub which is owned/run by Advanced Computer Software Group Limited.
• Given a high level of confidence that Advanced were the owners of the database, we established a line of communication with those responsible for the database, who subsequently closed the database, and instructed us they did not want any further business with us or to be involved in any public statement.
• The Financial Times contacted TurgenSec informing us that they knew that the software company in question was Advanced, and from our first statement that we had been the ones to discover it. The reporter had spoken to Advanced and confirmed to us that according to Advanced, the data was public record and of little significance, and they were going to run a story. 
• TurgenSec issued its second public statement, in line with our Disclosure Policy and EC1 Ethics and Culture form.

Due to the sensitive nature of the data, we judged there to be a high likelihood of harm to the individuals and organizations involved. Therefore our first priority is always to ensure the owners of the database are informed so that they can close the database.

Secondly, since this data had been exposed for an extended period, our intention was to ensure that those affected were informed of the breach so they could act appropriately to protect themselves. Our experience has taught us that breached data of this nature usually ends up in the wrong hands.

TurgenSec, working in line with its Responsible Disclosure Policy, triaged the database and contacted the NCSC. Over the next few weeks the database remained accessible to the public while we liaised with the NCSC and with the organisation to whom we believed the database belonged (Companies House); they later advised us that the database was not theirs.

As we were unable to identify the owner with a reasonable degree of certainty, and the database remained accessible (able to be accessed by those with malicious intent), we therefore proceeded in line with our policy. We contacted a minority of the impacted firms, provided them with redacted evidence, and worked with them to identify the correct owner.

Impact

The set of databases identified by TurgenSec appears to contain information relating to the staff of legal firms, and in some cases, potentially sensitive data relating to authentication on behalf of clients.

All firms had staff data breached. Potentially sensitive headers observed included:

• id
• UserName 
• HashedPassword
• Organisation
• FriendlyName
• PlatformAdmin

Of the firms whose documentation was included in the breach, potentially sensitive headers observed included:

• Name
• Address
• BirthTown
• TelNumber
• NINumber
• PassportNumber
• MothersMaidenName
• EyeColour
• FathersFirstName
• CompanyDetails
  • CompanyType
  • CompanyName
  • CompanyAuthenticationCode
  • ContactName
  • ContactNumber

Extensive details of transactions, payment terms and client agreements are believed potentially to be contained within the database. See Appendix A for details of the exposed database fields, and Appendix B for details of the firms we believe are affected by this breach.

Afterword

This breach is an important case study in the wider debate of responsible disclosure and how companies should behave to encourage a positive cyber security research culture. Due diligence is not a box that can be ‘checked’ once and left thereafter, nor should Cybersecurity analysis be missing from this process – a problem we address in our Exosystem Monitoring solution. 

Disclosing breaches to companies is not without risk. In the past well-meaning security researchers looking to help have been threatened with prosecution. That said, to our knowledge, no ethical hacker has been successfully prosecuted under the Computer Misuse Act 1990 since it came into force.

No hacking or offensive techniques were utilised to discover the data; at the time of data access, any user with a web browser and internet connection would have been able to access the data in the database. This data was discovered during R&D for TurgenSec’s DataShadow product.

There was no legal obligation for us to disclose this breach. Choosing to disclose this breach is at our own risk, and to the immediate and ultimate benefit of the people and organisations impacted. To assist these individuals and organisations, we provide the column headings of the breached data in Appendix A. This allows those impacted people and organisations to assess the scope of the breach and where appropriate, exercise their legal rights and incident response plans.

Going forward we hope that companies in the UK and internationally will follow the lead of the National Cyber Security Centre and encourage security researchers to disclose their findings without fear of entering a high risk, no reward situation. We believe that such a culture shift would dir ectly benefit the UK & international community through the global reduction of cyber crime.

Appendix A – Field headers

 Primary data (available for all firms affected)

• id
• UserName
• HashedPassword
• Organisation
• FriendlyName
• PlatformAdmin

In addition to the above, the following information was available within some of the databases:

Form Data

• id
• FormName
• CompanyDetails
• CompanyDetails.CompanyNumber
• CompanyDetails.CompanyType
• CompanyDetails.CompanyName
• CompanyDetails.CompanyAuthenticationCode
• CompanyDetails.ContactName
• CompanyDetails.ContactNumber
• ClientReference
• AuthenticationItems
• AuthenticationItems.BirthTown
• AuthenticationItems.TelNumber
• AuthenticationItems.NINumber
• AuthenticationItems.PassportNumber
• AuthenticationItems.MothersMaidenName
• AuthenticationItems.EyeColour
• AuthenticationItems.FathersFirstName
• ExistingChargeKey
• ChargeCreationDate
• DescriptionOfInstrument
• ParticularsOfProperty
• ChargeCode
• Satisfaction
• PartCeaseRelease
• FullCeaseRelease
• AssetsDescription
• Name
• Name.Forenames
• Name.Surname
• Address
• Address.CareOf
• Address.PoBox
• Address.Premise
• Address.Street
• Address.Thoroughfare
• Address.PostTown
• Address.County
• Address.Country
• Address.PostCode
• InterestInCharge
• FormCode
• FormName
• LastSavedDate
• Language
• Users
• Status
• PreArchivedStatus
• FailureMessage
• LastSubmission.SubmissionNumber
• LastSubmission.SubmittedDateTime
• LastSubmission.RejectionInfos
• LastSubmission.CertificateRequestKey
• LastSubmission.DocumentsUrl
• FormCode
• MostRecentSubmitter
• Destination
• FailureCount
• Destinations
• Url
• Username
• Password
• Domain
• ApiKey
• Database
• TransitiveReplicationBehavior
• IgnoredClient
• Disabled
• ClientVisibleUrl
• SkipIndexReplication
• Source
• id
• FormName
• ChargeCreationDate
• Chargees
• AdditionalChargees
• Description
• FixedChargeOrSecurity
• FloatingCharge
• FloatingChargeCoversAll
• NegativePledge
• TrusteeStatement
• DeedCertificationStatement
• DeedCertifiedBy
• DeedRedacted
• Attachments
• PropertyAcquire

Appendix B – Firm names

Affected Parties (with primary data and potentially form data) in Alphabetical Order:

Aaron and Partners	K and L Gates
Addleshaws	Keystone Law
Apex Law	Lester Aldridge
Baker McKenzie	Levi Solicitors
Banner Jones	Mills Reeves
Bawtrees	Myerson
Charles French Co	Olswang LLP
Chattertons Legal Services	OTB Eveling
Clifford Chance	Parry Law
Dentons UKMEA	Philip J Hammond
Dickson Minto	Pinsent Masons
DLAPiper	Shakespeare Martineau
Field Fisher	Slaughter and May
Fraser Dawbarns	Stephensons
Hewitsons	Sylvester Amiel Lewin And Horne
Higgs and Sons	Talbots Law
Hogan Lovells	The Endeavour Partnership
Hopkins Solicitors	Thursfields LLP
Howes Percival	TWM Solicitors
Ian C Free Solictors	Wedlake Bell
JCP	Weil Gotshal Manges
JMW Solicitors	White Case
	Winckworth Sherwood

Databases with potentially limited content (with primary data):

Abdul Sattar Ali	Fletcher Co	Ocean Property Lawyers
Addis Law	Forshaws Davies Ridgway	Oglethorpe Sturton Gillibrand
Adrian Stables	Fox Williams	Ormrod Solicitors
Akin Palmer Solicitors	Fulchers Farnborough	Pepperells
Alister Pilling	Gamlins	Petrou Law
Alletsons	GCL Solicitors	Phillips Solicitors
Amy And Co	Geldards	Pickering and Butters
Baines Wilson	Gilbert Stephens	Pini Franco
Barrington Law Partnership	GillTurnerTucker	Pitmans
Barrow and Cook	Gosschalks Solicitors	Portcullis
Batchelors	Greenwoods Solicitors	Read Dunn Connell
Berry Lamberts	Hague Lambert	Richard Kanani
Berwin Leighton Paisner	Hamstead Law Practice	Richard Pearlman
Betteridges	Hartley Worstenholme	RJR Solicitors
Birkett Long	Hawkins Hatton	Robertsons Legal
Blackett Hart Pratt LLP	Hawkins Ryan	Rutherford
BLegalSolicitors	Henry Cane And Son	Salehs
Borneo Martell Turner Coulston	Hill Hofstetter Limited	SBP Law
Bourne Jaffa	Hudson Taylor	Seatons Law
Bowling Co	Ison Harrison	Sharman Law
Boyce Hatton	Janet Auckland	Shentons
Bramhall Solicitors	John Fowlers	Sheridan And Stretton
Brighouse Wolff	JS Law	Sherrards
Brook Street des Roches	JWK	Sills Betteridge
BSG Solicitors	Kapasi And Co	Sintons
Bude Nathan Iwanier	Kersey	Solicitors Title
Campions	Kings Solicitors	Somerville Savage
Charles Platel Law	Kingswell Watts	Southerns
CitrusConveyancing	Knights Solicitors LLP	Spicketts Battrick
Clutton Cox	Lanyon Bowdler	SS Live
CMSCMNO	Lawrence Stephens Solicitors	Stan Baring
Cocks Lloyd	Lewis Francis Blackburn Bray	Steinbergs Solicitors
Collas Crill	Lindsay Sait Turner	Straw And Pearce
Cooke Painter	Linklaters	Sullivan Cromwell
Cowlishaw Mountford	Lupton Fawcett LLP	Sydney Mitchell
Crossmans Solicitors	Maclachlan Solicitors	Sydney Mitchell Solicitors
CSConveyancing	Matwala Vyas	Taylor Vinters
Curry Popeck	Mc Garry and Co	Taylor Wessing
Curtis Parkinson	Merritts Solicitors	Theobald Associates
DDO Solicitors	Millichips	TQ Solicitors
Dean Thomas	Mishcon De Reya	Turner Parkinson Solicitors
Dobbs Drew Property Lawyers	MJP Conveyancing	W Davies
Druces LLP	MLP Law	Walter Saunders
DTM Legal	Moore Blatch	Wartnaby Hefford
Duncan Rann	Morecrofts	Watson Farley Williams
DW Gallifant	Mowll	Widdows Pilling Co
E and K Solicitors	Napthens	Wilde Law
Ellis Fermor Negus	Nath Solicitors	Williams Beales Co
FDC Law	NCC	Wiseman Lee
Field Fisher Finance	Nelsons	YVA Solicitors LLP
Field Seymour Parkes	Nelsons Legal

Appendix C – Communications Log

Communications log:

• February: Our security researchers discovered what appeared to be a sensitive open database accessible to anyone with a browser and internet connection. We made efforts to identify the owner of this database, and believed it to be owned by Companies House.
• February: We contacted the NCSC, since a Companies House breach would be a matter of national security.
• 28th February: We contacted [email protected] with details of what we believed to be a personal data leak, stating we had found worrying exposed information, were working to figure out who the owner was to get it closed, and that we had not reported it to any of the law firms in question. We sent over:
  • Names of all the law firms involved.
• 1st April: We received confirmation that the breach did not pertain to Companies House. We continued identification efforts to no avail.
• 14th April: We contacted the impacted firms, who worked with us to identify the owner.
• 14th April: A number of law firms confirmed with us that the database likely belonged to the Laserforms Hub which is currently owned/run by Advanced Computer Software Group Limited.

At this point, the data controller was believed to be Advanced, so we sought to establish a line of communication with Advanced so the database could be protected. We also prepared draft statements to be ready to respond to any unexpected events quickly.

• 16th April – TurgenSec reached out to Advanced providing them with our responsible disclosure policy among other information.
• 22nd April – Advanced replied acknowledging the receipt of our email and informing us an investigation was ongoing. 
• 22nd April – TurgenSec re-sent its responsible disclosure policy requesting the DPO, who replied to us from Advanced confirming they had read our policy. TurgenSec  requested to be involved in the public disclosure stating: “As the discovering party in this breach we wish to be involved in the public disclosure process.“
• 22nd April – TurgenSec called Advanced via a mobile and got through to the person whose line manager is handling the data breach. TurgenSec was informed they would be called back the same day. Advanced noted the mobile number used to call.
  • Advanced did not call the mobile number back.
  • TurgenSec was not provided with a direct number.
• 22nd April – TurgenSec called again at 16:51 and did not get through.
• 23rd April – TurgenSec called Advanced and was informed the individual dealing with the data breach was on a call and would call us back the same day. 
  • Advanced did not call TurgenSec back. 
• 24th April – The compliance team at the Advanced called a TurgenSec director to discuss the breach telling us they would send us a formal response on the 24th or 27th of April, stating that they did not need to inform the ICO and that they had informed affected parties.
  • Advanced informed us that they had told all affected law firms of the data breach, and provided them with copies of the breached content.
• 27th April – Advanced responded to TurgenSec with a written response stating that they did not wish to work with us and that we did not have permission to use their name in our breach disclosure. 
• 27th April – TurgenSec issued its public disclosure with significant amounts of detail redacted, such as the name of the data controller. This statement was issued in line with the Ethical & Business Goals of TurgenSec.
• 29th April – The Financial Times contacted TurgenSec informing us that they knew that the software company in question was Advanced, and from our first statement that we had been the ones to discover it.
• 29th April – The Financial Times informed TurgenSec that Advanced stated the data was public record and of no significance. For this reason we are happy to release the field headers and names of firms, in Appendices A & B.
• 4th May: TurgenSec issued its second public statement with, in line with our Disclosure Policy and Company Ethics & Business Goals.