in Breaches

LeaseSolution (LS2) Breach Statement

18th May 2020, TurgenSec Limited, Public Statement v1.0

Table of Contents show

Summary

TurgenSec discovered a publicly accessible database which belonged to a lease management service provider named LeaseSolution (LS2). The breach affected 9 companies, contained 6 million database entries and over 150 files (e.g. PDFs). We speculate the companies impacted are clients of LS2. 

We encourage LeaseSolution to submit the breached databases to digital forensics specialists to ascertain the extent of this data breach. 

We also encourage LeaseSolution to inform the ICO and to issue a public disclosure of this data breach explaining how this database breach occurred, and the full extent of what was breached so that the impacted companies listed below can enact their incident response plans. 

The companies impacted (See Appendix A): 

  • Rolls Royce
  • Tesco
  • Samsung
  • Computacenter
  • Link Group
  • Capita
  • Freightliner
  • MC Group
  • LeaseSolution (Breached database)

Potential sensitive data headings (See Appendix B for a full list): 

  • FirstName
  • LastName
  • JobTitle
  • Email
  • Switchboard
  • DirectDial
  • Mobile
  • Company
  • FullName
  • Id
  • Name
  • FullName
  • ModifiedDate
  • metadata
  • AddressLine1
  • AddressLine2
  • AddressLine3
  • CountyState
  • PostCode
  • Country
  • CountryName
  • State
  • CurrentContact
  • Contacts
  • Client
  • FirstContact
  • LastContact
  • NextContact

Asset class data headings

  • Aircraft
  • All Assets
  • AssetClass
  • Biological
  • Equipment
  • Film
  • Land & Buildings
  • Licensed IP
  • Non-Regenerative Resource
  • Plant & Machinery
  • Service Concession
  • Vehicles
  • AssetClass
  • LinkedContracts
  • FieldIds

Archive of statement updates

  • 18th May 2020 – V1.0 Released
  • 18th May 2020 – By accident put 14th May in the subtitle for publication date. V1.0 actually posted on 18th May.

Purpose of this Statement | Corporate Disclosure Goals

  • Providing verifiable transparency on the principle that organisations and individuals have a right to know what has been breached about them in objective and precise terms.
  • Through transparency, allowing individual and organisational consumers to make informed decisions on who to trust with their sensitive data.
  • To bring attention to the wider debate of why breaches need transparency to reduce the costs of all involved.
  • Ensuring false information concerning this data breach cannot be used to manipulate, extort, sue or otherwise harm the involved parties or TurgenSec itself.

Navigating this Statement

  • Appendix A – This appendix outlines the companies impacted by this data breach. We speculate that some (or all) of these companies are clients of LeaseSolution/LS2.
  • Appendix B – This contains the data headings of this breach and shows the type of information that was potentially within the databases for each company. We publish this to assist the impacted organisations in their incident response plans so they have enough information on this breach to respond appropriately and understand the severity of this breach.
  • Appendix C – This outlines our communications with LeaseSolution and the impacted organisations. 

Our security researchers discovered a potentially sensitive open database accessible to anyone with a browser and internet connection.

Note: Our team interacted with an open server. We do not use unauthorised credentials, brute force password guessing or any other unlawful process. We obtained sufficient information to understand the nature of the data and to contact relevant parties.

Addressing our Disclosure outreach methodology

TurgenSec followed its responsible disclosure policy (Responsible Disclosure Policy) when reaching out to LeaseSolution. 

We initially contacted LeaseSolution via their published communications channel, namely their website ‘Enquires’ page to inform them of their breach. It appears that LeaseSolution did receive and act on our responsible disclosure, as the databases that were exposed for an extended period were finally restricted from public view shortly after we sent the original email to LeaseSolution.

We attempted to establish a dialogue with LeaseSolution to confirm how we discovered the breach, and if they were aware of their ethical responsibility to inform those impacted. Unfortunately LeaseSolution chose not to respond to our correspondences, therefore we were unable to ascertain if those impacted had been sufficiently informed to allow them to action any required remediation.

To ensure that those responsible for the operations of LeaseSolution were aware of the situation, we attempted to contact the company directors as listed on Companies House. We regret that as part of this process we made an honest mistake and accidentally sent several emails to someone who was not a director of the company, rather a family member of one of the directors with a similar name. This was accidental and we have since updated our process for initiating contact during disclosures, to ensure this mistake doesn’t happen again.

We are always open to receiving feedback on our outreach methodology, including from LeaseSolutions on how we can improve our approach.

Breach Disclosure

In line with our Responsible Disclosure Policy we cannot be assured that those affected individuals or parties have been informed of the breach. Therefore to incentivise appropriate behaviour in the wider community, raise awareness, and ensure false information about the nature of the breach doesn’t spread we make this public disclosure statement.

This breach demonstrates the importance of due diligence within supply chains. From our investigations the databases contained information belonging to several companies which appear to be clients of LeaseSolution. These companies include: 

  • Rolls Royce
  • Tesco
  • Samsung
  • Computacenter
  • Link Group
  • Capita
  • Freightliner
  • MC Group
  • LeaseSolution (Breached database)

For a full list of companies affected see Appendix A. 

Afterword

This breach is a case study in the wider debate of responsible disclosure and how companies should behave to encourage a positive cyber security research culture. Due diligence is not a box that can be ‘checked’ once and left thereafter, nor should Cybersecurity analysis be missing from this process – a problem we address in our Exosystem Monitoring solution. 

Disclosing breaches to companies is not without risk. In the past well-meaning security researchers looking to help have been threatened with prosecution. That said, to our knowledge, no ethical hacker has been successfully prosecuted under the Computer Misuse Act 1990 since it came into force.

No hacking or offensive techniques were utilised to discover the data; at the time of data access, any user with a web browser and internet connection would have been able to access the data in the database. This data was discovered during R&D for TurgenSec’s DataShadow product.

There was no legal obligation for us to disclose this breach. Choosing to disclose this breach is at our own risk, and to the immediate and ultimate benefit of the people and organisations impacted. To assist these individuals and organisations, we provide the column headings of the breached data in Appendix B. This allows those impacted people and organisations to assess the scope of the breach and where appropriate, exercise their legal rights and incident response plans.

Going forward we hope that companies in the UK and internationally will follow the lead of the National Cyber Security Centre and encourage security researchers to disclose their findings without fear of entering a high risk, no reward situation. We believe that such a culture shift would directly benefit the UK & international community through the global reduction of cyber crime.

Appendix A – Companies Impacted as Observed By TurgenSec

  • Rolls Royce
  • Tesco
  • Samsung
  • Computacenter
  • Link Group
  • Capita
  • Freightliner
  • MC Group
  • LeaseSolution

Appendix B – The Data Headings as Observed By TurgenSec

  • 1stAlertDay
  • 1stAlertMessage
  • 2ndAlertDay
  • 2ndAlertMessage
  • AccessFailedCount
  • AccessList
  • AccessProfileId
  • AccountingProfileId
  • AccountingProfileSectionRecords
  • AccuDiffFieldValue
  • Action
  • ActiveUsers
  • AdditionalUserLicense
  • AdditionsPurchasePrice
  • AddressLine1
  • AddressLine2
  • AddressLine3
  • AddressType
  • AffirmativeContractTypes
  • AffirmativeLeaseTypes
  • AffirmativePaymentTypes
  • AlertLevel
  • Alerts
  • AlertType
  • Alias
  • __all_fields
  • Analyzers
  • Applied
  • Asset
  • AssetClass
  • AssetClassId
  • AssetEventType
  • AssetFields
  • AssetSectionRecordIdList
  • AssetsTab
  • Attachments
  • Author
  • AzureRemoteFolderName
  • AzureStorageContainer
  • BillingAddress
  • BlockOrder
  • Body
  • BranchOffice
  • CalculationClass
  • Capital
  • Central
  • Claims
  • ClassName
  • Client
  • ClientAddresses
  • Client_Id
  • ClientId
  • ClientOwner
  • ClientType
  • ClientView
  • ClientView_Id
  • Code
  • Column
  • ColumnPosition
  • Comment
  • CommonName
  • Companies
  • Company
  • CompanyAddressIds
  • Company_Id
  • CompanyId
  • CompanyLevel
  • CompanyName
  • CompanyType
  • CompanyTypeId
  • CompanyType_Type
  • CompanyView
  • Contacts
  • ContainerType
  • Content
  • Content-Type
  • ContractId
  • ContractProcessId
  • ContractRef
  • ContractReference
  • contracts
  • ContractTemplateFieldId
  • ContractTemplateId
  • ContractType
  • ContrsctId
  • Country
  • CountryCode
  • CountryId
  • CountryName
  • CountryState_Text
  • CountryState_Value
  • CountryView
  • CountyState
  • CreatedAt
  • CreatedBy
  • CreatedDate
  • Culture
  • CumDepreciation
  • Currency
  • CurrentContact
  • Customization
  • Data
  • DatabaseName
  • DataFrom
  • DataSource
  • DataTo
  • DateDiff
  • DateFrom
  • DateTo
  • Default
  • DefaultDataSource
  • DefaultText
  • DefaultValue
  • definition
  • DepreciationAmount
  • Description
  • Details
  • DirectDial
  • Disabled
  • DisableInMemoryIndexing
  • DisplayName
  • DocListAllHeaderString
  • Docs
  • DocumentCss
  • __document_id
  • __document_Id
  • _document__Id
  • _document_Id
  • document__Id
  • document_Id
  • DocumentId
  • DocumentType
  • DueDate
  • EditLevel
  • Email
  • EmailConfirmed
  • EmailSubject
  • EndDate
  • Ensure-Unique-Constraints
  • @etag
  • Etag
  • EU
  • Exception
  • ExceptionMethod
  • Extension
  • FeeEstimate
  • Field
  • FieldAlias
  • Field_FieldSystemName
  • FieldIds
  • FieldIO
  • FieldLabelName
  • FieldLabelValue
  • FieldLevel
  • _FieldName_
  • FieldName
  • Fields
  • FieldSystem
  • FieldSystemName
  • FieldTooltip
  • FieldType
  • FieldValue
  • FieldValueTooltip
  • FileName
  • FileTypeCssClass
  • FirstContact
  • FirstName
  • FiscalYearStart
  • FollowedTasks
  • FollowedTasksId
  • FollowedTasksValue
  • FormatType
  • Frequency
  • FullBackupIntervalMilliseconds
  • FullName
  • GlacierVaultName
  • Group
  • HasAccountProfile
  • HasDocument
  • HasNote
  • HasReminder
  • HeadOffice
  • HelpURL
  • HostingAndSupport
  • HResult
  • IbrPercentValue
  • @id
  • id
  • Id
  • Identities
  • IfrsSixteenDate
  • IfrsSixteenPreDate
  • Indexes
  • IndexId
  • IndexType
  • IndexValue
  • IndexVersion
  • InitialTerm
  • InnerException
  • InternalFieldsMapping
  • IntervalMilliseconds
  • IpAddress
  • IsAdditionalAsset
  • IsBlankRow
  • IsCompiled
  • IsDeleted
  • IsHidden
  • IsMapReduce
  • IsReadOnly
  • IsRequired
  • IsSideBySideIndex
  • IsTestIndex
  • JobTitle
  • Key
  • Language
  • LastAttachmentDeletionEtag
  • LastAttachmentsEtag
  • LastBackup
  • LastContact
  • LastDismissedAt
  • LastDocsDeletionEtag
  • LastDocsEtag
  • LastFullBackup
  • Last-Modified
  • LastModified
  • LastModifiedTicks
  • LastName
  • LeaseType
  • LeaseTypeIfrsSixteen
  • LeaseTypeText
  • Length
  • Lessor
  • Lessor_Text
  • LessorText
  • Level
  • Level_Range
  • LicensedUsers
  • LicenseStartDate
  • LinkedContracts
  • LocalFolderName
  • LocalizedProperties
  • Location
  • lockMode
  • LockMode
  • LockoutEnabled
  • LockoutEndDateUtc
  • LogDateTime
  • Logins
  • LoginTime
  • Logs
  • LowValue
  • MainPhone
  • Map
  • Maps
  • MatrixType
  • Max
  • MaximumColumn
  • MaxIndexOutputsPerDocument
  • Message
  • @metadata
  • Metadata
  • Method
  • Mobile
  • MobilePhone
  • ModifiedBy
  • ModifiedDate
  • name
  • Name
  • NewValue
  • NextContact
  • NextInvoice
  • Non-Authoritative-Information
  • NoteCss
  • NoticeDate
  • NoticeType
  • NumberOfColumns
  • ObjectName
  • Observed
  • OperationalSupport
  • Options
  • Order
  • Origin
  • OriginalFileName
  • Owner
  • OwnerId
  • ParamName
  • Parent
  • ParentCompany
  • PasswordHash
  • PaymentType
  • PaymentTypeOfTotalPvPercent
  • Period
  • PhoneNumber
  • PhoneNumberConfirmed
  • PlaceHolders
  • PostCode
  • PreferredLanguage
  • PreviousFieldValue
  • PreviousValue
  • ProcessId
  • ProspectStatus
  • Range
  • RatePercent
  • Raven-Clr-Type
  • Raven-Entity-Name
  • Raven-Last-Modified
  • Raven-Replication-History
  • Raven-Replication-Source
  • Raven-Replication-Version
  • ReadLevel
  • ReadLevel_Range
  • ReceivedEmailFromFirstAlertUserIds
  • ReceivedEmailFromSecondAlertUserIds
  • RecordColumnOrder
  • RecordFieldId
  • RecordFields
  • RecordOrder
  • Reduce
  • ReferedPaymentRecordId
  • Reference
  • ReminderCss
  • ReminderDate
  • ReminderNote
  • RemoteStackIndex
  • RemoteStackTraceString
  • ReportAlias
  • ReportName
  • ResetExpired
  • ResetKey
  • Role
  • Role_Level
  • RoleName
  • Roles
  • RouTotalValue
  • Row
  • RowPosition
  • Rows
  • S3BucketName
  • S3RemoteFolderName
  • SaaSFee
  • SectionId
  • SectionIds
  • SectionName
  • SectionRecordId
  • SectionRecordIds
  • Sections
  • Sections_Id
  • SecurityStamp
  • SelectedOption
  • SeletedViewId
  • SerializedSizeOnDisk
  • SettlementCostAfterSequence
  • SettlementCostSequence
  • ShouldRegeneratePayments
  • SlnBookValue
  • SortOptions
  • SortOrder
  • Source
  • SourceId
  • SourceSectionId
  • SourceType
  • SpatialIndexes
  • SpecifiedUserIds
  • StackTraceString
  • StartDate
  • State
  • StateCode
  • StateName
  • StateView
  • Status
  • Stores
  • Subject
  • Suggestions
  • SuggestionsOptions
  • Suppliers
  • Supplier_Text
  • Switchboard
  • Symbol
  • Tag
  • TaskId
  • Tasks
  • TaxCode
  • TaxType
  • TaxType_Id
  • TaxTypeId
  • TaxTypeView
  • Temp-Index-Score
  • Template
  • TemplateAccess
  • Template_Id
  • TemplateId
  • TemplateName
  • Templates
  • TemplateType
  • Template_Value
  • Temporary
  • TerminatedAssetsPurchasePrice
  • TermVectors
  • TextAlign
  • TextMode
  • TimeStamp
  • Title
  • ToolTip
  • TotalColumn
  • TotalPrincipal
  • TotalPurchasePrice
  • TransfomerId
  • Transformers
  • TransformerVersion
  • TransformResults
  • TwoFactorEnabled
  • $type
  • Type
  • TypeId
  • TypeName
  • UniqueKey
  • UnLicenseUsers
  • UpdatedField
  • User
  • UserId
  • UserLevel
  • UserName
  • UsersSeen
  • $value
  • Value
  • $values
  • Version
  • ViewField
  • ViewId
  • ViewLevel
  • Views
  • WatsonBuckets
  • WebSite
  • Year

Asset Classes:

  • Aircraft
  • All Assets
  • AssetClass
  • Biological
  • Equipment
  • Film
  • Land & Buildings
  • Licensed IP
  • Non-Regenerative Resource
  • Plant & Machinery
  • Service Concession
  • Vehicles
  • AssetClass
  • LinkedContracts
  • FieldIds

Appendix C – Communications Log with LeaseSolution:

  • On the 15th of April we reached out via telephone to those believed to be responsible for managing LS2 software by LeaseSolution, using publicly listed phone numbers and seemed to be making progress. 
  • On the 15th of April we also sent an email to a director of LeaseSolution who had responded to us providing them with our Responsible Disclosure Policy. This policy is public and can be found here: Responsible Disclosure Policy
  • 20th April – LeaseSolution replied to us thanking us for bringing the data breach to their attention. LeaseSolution informed us that they “take such matters very seriously”, and “expect to have completed [their] investigations by the end of this week.”
    • LeaseSolution also informed us that they “will then arrange a pen test to satisfy [themselves] that any relevant points have been satisfactorily addressed and are fully under control.” 
    • We applaud the initiative LeaseSolution took in assuring the security of their system going forward.
  • 24th April – TurgenSec reached out to LeaseSolution saying: 

“It is drawing towards the end of the week and we are very keen to hear how your investigations have gone. 

Have you informed all the affected parties of the data breach or do you intend on making a public disclosure instead – to allow those impacted to take any incident response activities they deem necessary.”

  • 24th April – LeaseSolution replied to TurgenSec informing us that they had almost concluded their investigation and required nothing from us going forward. 
    • LeaseSolution did not inform us if they had informed affected parties or any relevant government entities.
  • 24th April – TurgenSec replied to LeaseSolution informing LeaseSolution of our next steps and intention to publicly disclose in line with our Responsible Disclosure Policy. Our email:

“Thank you for the update. 

In that case we shall consider our communications with LeaseSolution complete and continue executing against our Responsible Disclosure policy and processes. 

Attached earlier or see Trust and Confidence.

Should you wish to reopen dialog and participate in the processes outlined in our responsible disclosure process we will gladly work with you.”

  • 7th May – As TurgenSec could not be assured that the data breach and data breach extent had been disclosed to all of the affected parties so they could enact their incident response plan, TurgenSec reached out to the affected parties with the below email: 

Dear [Person] @ [Company], 

We are reaching out to you as part of our Responsible Disclosure process as outlined in our Responsible Disclosure Policy (attached). 

In April we responsibly disclosed a data breach at a company named LeaseSolution. We communicated with the company who launched an internal investigation. The open databases have since been restricted from public and unauthorised access. 

Your company, [Company], was contained in the database and we speculate you were a client of LS2 (LeaseSolution), and that your data was potentially breached. 

We are reaching out to ascertain whether or not you are aware of this breach as we intend to proceed in line with our responsible disclosure policy moving forward.

We are not seeking any financial remuneration for responsibly disclosing this breach. We only wish to be assured that you have been adequately informed of the extent of the breach; enough to take any necessary remediation action.

For the avoidance of doubt, TurgenSec does not engage in reverse engineering, cracking, brute force password attacks or other ‘black hat’ techniques.

We appreciate that this email comes out of the blue. Please do make your own enquiries as to our authenticity. To assist, reputable news outlets have reported on our previous responsible disclosures. For example: https://www.bbc.com/news/business-51760510

We can refer you to resources from the UK’s NCSC (https://www.ncsc.gov.uk/) on how to proceed, according to good practice and the law. We would also be happy to offer guidance on how best to respond to this situation. Feel free to telephone us on +44 (0) 20 3151 4828, to discuss further. 

We strictly adhere to our own ethical policy governing responsible disclosure, which you can read attached.

Thanks,

TurgenSec Research Team

  • 13th May – None of the companies impacted responded to the above email and our statement was drafted.
  • 18th May – TurgenSec releases its first statement.