Specialists in secure data erasure revealed the discovery of an online database without assured that it contained personal and confidential information from more than 190 law firms using the British firm’s Laserforms Hub software.
Investigators who made the finding mentioned that the database was available to any user with Internet access and a browser, so the incident poses a serious threat to the 193 firms involved, their employees and their customers. The UK National Cyber Security Centre (NCSC) helped determine the source of this data.
“Due to the nature of the information exposed, we consider that there is a high likelihood of harm to the individuals and organizations involved,” the specialists in secure data erasure include. This information has been exposed for an indeterminate period of time, so it remains to be determined whether any employee or user has already been a victim of the incident.
The finding was reported to Advanced by researchers from TurgenSec. After the notification, the software vendor closed public access to the database, but refused to cooperate with the company to issue any public statements about the data breach.
According to TurgenSec’s secure data erasure experts, the database exposed contained information related to all employees of the 193 compromised signatures, as well as data related to user authentication, such as usernames, passwords, employer name, and more. In addition, in some cases confidential details of members of the firms were also presented, such as full names, addresses, telephone numbers, place of residence, passport details, among other details. Although not confirmed, it is mentioned that some details about financial transactions are also available in the database.
“This data breach is a relevant case for the debate about responsible disclosure of information and the ways in which companies behave to meet a computer security standard,” TurgenSec researchers consider.
The International Institute of Cyber Security (IICS) mentions that this is a sign of abusive practice, as many records remained under the guard of these companies even three years after they were registered.