TurgenSec discovered a data breach at a legal software provider affecting over 190 law firms, including three magic circle law firms. We posted our public statement of the matter on the 27th of April. It has come to our attention that the identities of the owner of the database and affected parties are now public knowledge (FT Article).
Archive of statement updates:
- 27th April 2020 – V1.0 Released
- 4th May 2020 – V2.0 Released
- 4th May 2020 – Amended and clarified.
- 4th May 2020 – Amended and clarified.
- 4th May 2020 – FT article anchor text.
- 6th May 2020 – Spelling correction
- 6th May 2020 – Meta data analysis
Update – 6th May 2020
In order to reduce as much as possible the need to interact with what could be unauthorised information, we have various methods that allow our security researchers to profile the extent of a data breach without being exposed to the raw data itself. This includes: Table column header extraction, row metadata (character count, number of entries).
The meta data we gathered on this database indicates that some of the information labeled as authentication data was more than 3 characters long. We cannot speak for the number of entries that were more than 3 characters or what they contained. We encourage Advanced to conduct forensics with an independent partner to ascertain the true magnitude of the breach.
We also encourage Advanced to publicly address this breach and inform clients and potential new clients what they are doing to make sure a data incident like this does not happen again.
Purpose of this Statement | Corporate Disclosure Goals
- Promoting verifiable transparency on the principle that organizations and individuals have a right to know what has been breached about them in objective and precise terms.
- Through transparency, allowing individual and organizational consumers to make informed decisions on who to trust with their sensitive data.
- Bringing attention to the wider debate of why breaches need transparency to reduce the costs of all involved.
- Ensuring false information concerning this data breach cannot be used to manipulate, extort, sue or otherwise harm the involved parties or TurgenSec itself.
Our security researchers discovered a potentially sensitive open database accessible to anyone with a browser and internet connection.
Note: Our team interacted with an open server. We do not use unauthorised credentials, brute force password guessing or any other unlawful process. We obtained sufficient information to understand the nature of the data and to contact relevant parties.
Henceforth, the following applies:
- Advanced Computer Software Group Limited will be referred to as Advanced.
- TurgenSec Ltd will be referred to as TurgenSec.
Summary of Events
Further details available in Appendix C.
- Our security researchers discovered a potentially sensitive open database accessible to anyone with a browser and internet connection.
- The database appeared to potentially contain some personal & potentially sensitive information and activities of the staff and clients of law firms, as well as a software company.
- We made efforts to identify the owner of this database, but were unable to do so with a high degree of confidence.
- We suspected that the database may belong to a government agency or service and so we stopped triaging and informed the NCSC.
- We worked with the NCSC and government connections to ensure that the owner was not a public agency.
- We confirmed that the database was not government owned, but we could still not identify the owner of the database with certainty.
- In line with our responsible disclosure policy we contacted the impacted firms, who worked with us to identify the owner and close the database.
- A number of law firms impacted confirmed with us that the database likely belonged to the Laserforms Hub which is owned/run by Advanced Computer Software Group Limited.
- Given a high level of confidence that Advanced were the owners of the database, we established a line of communication with those responsible for the database, who subsequently closed the database, and instructed us they did not want any further business with us or to be involved in any public statement.
- The Financial Times contacted TurgenSec informing us that they knew that the software company in question was Advanced, and from our first statement that we had been the ones to discover it. The reporter had spoken to Advanced and confirmed to us that according to Advanced, the data was public record and of little significance, and they were going to run a story.
- TurgenSec issued its second public statement, in line with our Disclosure Policy and EC1 Ethics and Culture form.
Due to the sensitive nature of the data, we judged there to be a high likelihood of harm to the individuals and organizations involved. Therefore our first priority is always to ensure the owners of the database are informed so that they can close the database.
Secondly, since this data had been exposed for an extended period, our intention was to ensure that those affected were informed of the breach so they could act appropriately to protect themselves. Our experience has taught us that breached data of this nature usually ends up in the wrong hands.
TurgenSec, working in line with its Responsible Disclosure Policy, triaged the database and contacted the NCSC. Over the next few weeks the database remained accessible to the public while we liaised with the NCSC and with the organisation to whom we believed the database belonged (Companies House); they later advised us that the database was not theirs.
As we were unable to identify the owner with a reasonable degree of certainty, and the database remained accessible (able to be accessed by those with malicious intent), we therefore proceeded in line with our policy. We contacted a minority of the impacted firms, provided them with redacted evidence, and worked with them to identify the correct owner.
The set of databases identified by TurgenSec appears to contain information relating to the staff of legal firms, and in some cases, potentially sensitive data relating to authentication on behalf of clients.
All firms had staff data breached. Potentially sensitive headers observed included:
Of the firms whose documentation was included in the breach, potentially sensitive headers observed included:
Extensive details of transactions, payment terms and client agreements are believed potentially to be contained within the database. See Appendix A for details of the exposed database fields, and Appendix B for details of the firms we believe are affected by this breach.
This breach is an important case study in the wider debate of responsible disclosure and how companies should behave to encourage a positive cyber security research culture. Due diligence is not a box that can be ‘checked’ once and left thereafter, nor should Cybersecurity analysis be missing from this process – a problem we address in our Exosystem Monitoring solution.
Disclosing breaches to companies is not without risk. In the past well-meaning security researchers looking to help have been threatened with prosecution. That said, to our knowledge, no ethical hacker has been successfully prosecuted under the Computer Misuse Act 1990 since it came into force.
No hacking or offensive techniques were utilised to discover the data; at the time of data access, any user with a web browser and internet connection would have been able to access the data in the database. This data was discovered during R&D for TurgenSec’s DataShadow product.
There was no legal obligation for us to disclose this breach. Choosing to disclose this breach is at our own risk, and to the immediate and ultimate benefit of the people and organisations impacted. To assist these individuals and organisations, we provide the column headings of the breached data in Appendix A. This allows those impacted people and organisations to assess the scope of the breach and where appropriate, exercise their legal rights and incident response plans.
Going forward we hope that companies in the UK and internationally will follow the lead of the National Cyber Security Centre and encourage security researchers to disclose their findings without fear of entering a high risk, no reward situation. We believe that such a culture shift would dir ectly benefit the UK & international community through the global reduction of cyber crime.
Appendix A – Field headers
Primary data (available for all firms affected)
In addition to the above, the following information was available within some of the databases:
Appendix B – Firm names
Affected Parties (with primary data and potentially form data) in Alphabetical Order:
|Aaron and Partners||K and L Gates|
|Apex Law||Lester Aldridge|
|Baker McKenzie||Levi Solicitors|
|Banner Jones||Mills Reeves|
|Charles French Co||Olswang LLP|
|Chattertons Legal Services||OTB Eveling|
|Clifford Chance||Parry Law|
|Dentons UKMEA||Philip J Hammond|
|Dickson Minto||Pinsent Masons|
|Field Fisher||Slaughter and May|
|Hewitsons||Sylvester Amiel Lewin And Horne|
|Higgs and Sons||Talbots Law|
|Hogan Lovells||The Endeavour Partnership|
|Hopkins Solicitors||Thursfields LLP|
|Howes Percival||TWM Solicitors|
|Ian C Free Solictors||Wedlake Bell|
|JCP||Weil Gotshal Manges|
|JMW Solicitors||White Case|
Databases with potentially limited content (with primary data):
|Abdul Sattar Ali||Fletcher Co||Ocean Property Lawyers|
|Addis Law||Forshaws Davies Ridgway||Oglethorpe Sturton Gillibrand|
|Adrian Stables||Fox Williams||Ormrod Solicitors|
|Akin Palmer Solicitors||Fulchers Farnborough||Pepperells|
|Alister Pilling||Gamlins||Petrou Law|
|Alletsons||GCL Solicitors||Phillips Solicitors|
|Amy And Co||Geldards||Pickering and Butters|
|Baines Wilson||Gilbert Stephens||Pini Franco|
|Barrington Law Partnership||GillTurnerTucker||Pitmans|
|Barrow and Cook||Gosschalks Solicitors||Portcullis|
|Batchelors||Greenwoods Solicitors||Read Dunn Connell|
|Berry Lamberts||Hague Lambert||Richard Kanani|
|Berwin Leighton Paisner||Hamstead Law Practice||Richard Pearlman|
|Betteridges||Hartley Worstenholme||RJR Solicitors|
|Birkett Long||Hawkins Hatton||Robertsons Legal|
|Blackett Hart Pratt LLP||Hawkins Ryan||Rutherford|
|BLegalSolicitors||Henry Cane And Son||Salehs|
|Borneo Martell Turner Coulston||Hill Hofstetter Limited||SBP Law|
|Bourne Jaffa||Hudson Taylor||Seatons Law|
|Bowling Co||Ison Harrison||Sharman Law|
|Boyce Hatton||Janet Auckland||Shentons|
|Bramhall Solicitors||John Fowlers||Sheridan And Stretton|
|Brighouse Wolff||JS Law||Sherrards|
|Brook Street des Roches||JWK||Sills Betteridge|
|BSG Solicitors||Kapasi And Co||Sintons|
|Bude Nathan Iwanier||Kersey||Solicitors Title|
|Campions||Kings Solicitors||Somerville Savage|
|Charles Platel Law||Kingswell Watts||Southerns|
|CitrusConveyancing||Knights Solicitors LLP||Spicketts Battrick|
|Clutton Cox||Lanyon Bowdler||SS Live|
|CMSCMNO||Lawrence Stephens Solicitors||Stan Baring|
|Cocks Lloyd||Lewis Francis Blackburn Bray||Steinbergs Solicitors|
|Collas Crill||Lindsay Sait Turner||Straw And Pearce|
|Cooke Painter||Linklaters||Sullivan Cromwell|
|Cowlishaw Mountford||Lupton Fawcett LLP||Sydney Mitchell|
|Crossmans Solicitors||Maclachlan Solicitors||Sydney Mitchell Solicitors|
|CSConveyancing||Matwala Vyas||Taylor Vinters|
|Curry Popeck||Mc Garry and Co||Taylor Wessing|
|Curtis Parkinson||Merritts Solicitors||Theobald Associates|
|DDO Solicitors||Millichips||TQ Solicitors|
|Dean Thomas||Mishcon De Reya||Turner Parkinson Solicitors|
|Dobbs Drew Property Lawyers||MJP Conveyancing||W Davies|
|Druces LLP||MLP Law||Walter Saunders|
|DTM Legal||Moore Blatch||Wartnaby Hefford|
|Duncan Rann||Morecrofts||Watson Farley Williams|
|DW Gallifant||Mowll||Widdows Pilling Co|
|E and K Solicitors||Napthens||Wilde Law|
|Ellis Fermor Negus||Nath Solicitors||Williams Beales Co|
|FDC Law||NCC||Wiseman Lee|
|Field Fisher Finance||Nelsons||YVA Solicitors LLP|
|Field Seymour Parkes||Nelsons Legal|
Appendix C – Communications Log
- February: Our security researchers discovered what appeared to be a sensitive open database accessible to anyone with a browser and internet connection. We made efforts to identify the owner of this database, and believed it to be owned by Companies House.
- February: We contacted the NCSC, since a Companies House breach would be a matter of national security.
28th February: We contacted [email protected] with details of what we believed to be a personal data leak, stating we had found worrying exposed information, were working to figure out who the owner was to get it closed, and that we had not reported it to any of the law firms in question. We sent over:
- Names of all the law firms involved.
- 1st April: We received confirmation that the breach did not pertain to Companies House. We continued identification efforts to no avail.
- 14th April: We contacted the impacted firms, who worked with us to identify the owner.
- 14th April: A number of law firms confirmed with us that the database likely belonged to the Laserforms Hub which is currently owned/run by Advanced Computer Software Group Limited.
At this point, the data controller was believed to be Advanced, so we sought to establish a line of communication with Advanced so the database could be protected. We also prepared draft statements to be ready to respond to any unexpected events quickly.
- 16th April – TurgenSec reached out to Advanced providing them with our responsible disclosure policy among other information.
- 22nd April – Advanced replied acknowledging the receipt of our email and informing us an investigation was ongoing.
- 22nd April – TurgenSec re-sent its responsible disclosure policy requesting the DPO, who replied to us from Advanced confirming they had read our policy. TurgenSec requested to be involved in the public disclosure stating: “As the discovering party in this breach we wish to be involved in the public disclosure process.“
22nd April – TurgenSec called Advanced via a mobile and got through to the person whose line manager is handling the data breach. TurgenSec was informed they would be called back the same day. Advanced noted the mobile number used to call.
- Advanced did not call the mobile number back.
- TurgenSec was not provided with a direct number.
- 22nd April – TurgenSec called again at 16:51 and did not get through.
23rd April – TurgenSec called Advanced and was informed the individual dealing with the data breach was on a call and would call us back the same day.
- Advanced did not call TurgenSec back.
24th April – The compliance team at the Advanced called a TurgenSec director to discuss the breach telling us they would send us a formal response on the 24th or 27th of April, stating that they did not need to inform the ICO and that they had informed affected parties.
- Advanced informed us that they had told all affected law firms of the data breach, and provided them with copies of the breached content.
- 27th April – Advanced responded to TurgenSec with a written response stating that they did not wish to work with us and that we did not have permission to use their name in our breach disclosure.
- 27th April – TurgenSec issued its public disclosure with significant amounts of detail redacted, such as the name of the data controller. This statement was issued in line with the Ethical & Business Goals of TurgenSec.
- 29th April – The Financial Times contacted TurgenSec informing us that they knew that the software company in question was Advanced, and from our first statement that we had been the ones to discover it.
- 29th April – The Financial Times informed TurgenSec that Advanced stated the data was public record and of no significance. For this reason we are happy to release the field headers and names of firms, in Appendices A & B.
- 4th May: TurgenSec issued its second public statement with, in line with our Disclosure Policy and Company Ethics & Business Goals.