BOOK THIS SPACE FOR AD
ARTICLE ADMillions of Legal Documents Exposed Online! Sensitive data leak raises security concerns for the legal industry. Learn how this breach could impact you and what legal service providers can do to protect your information.
Independent cybersecurity researcher Jeremiah Fowler discovered a non-password-protected unsecured database containing 38.6 million records belonging to California-based legal support services company Rapid Legal.
Fowler reported the findings to vpnMentor, according to which the database was left exposed to public access without any password or other mode of security authentication. The information accessed by the researcher contained court documents, service agreements, and payment information, including partial credit card details and PII (personally identifiable information) amounting to around 38TB of data and 38,648,733 records in total.
Further investigation revealed references and links to an additional storage repository, Legal Connect, which contained 89,745 records and a total size of 249.9 GB. For your information, Legal Connect is a back-end technology provider whereas RapidLegal provides filing services to customers and partner affiliates. Both companies appear to “share the same corporate leadership” and are connected, Fowler explained in his report.
The documents ranged from 2009 to 2024 and contained case documents, filed documents, notices, receipts, declarations, exhibit evidence, judgments, and other relevant case files. The service has allowed over 32,000 law firms to file or transmit over 7 million orders and 11 million legal documents to and from various court systems
Such a massive data leak can have devastating consequences for those affected. A folder titled Payments contained 737,389 files in .jsn format, including sensitive data like names, addresses, and the last four digits of credit card numbers.
Some records also contained merchant tokens, gateway data, and issuer authorization codes. These files are used for logging online payments and organizing transaction details, and adversaries can combine the data with other personal data for fraud or targeted phishing attacks.
Also exposed were .pfx files with server names or partner services, using Legal Connect’s technology, possibly containing private keys and certificates used in secure or encrypted communications. In addition, the database contained an estimated 146,000 signed customer service agreements. The data could be used for targeted phishing attacks, harassment, malware, spam emails, or other fraudulent activities.
The databases were secured from public access on the same day Fowler sent a responsible disclosure notice. Fowler claims that there is no evidence of customer payment data being at risk or an imminent threat of fraudulent activity.
The leak of sensitive data in legal service companies goes on to show the need for a comprehensive approach to data security, including robust access controls, regular security audits, employee training on cybersecurity best practices, data encryption, and a well-defined breach response plan. These measures limit data access, identify vulnerabilities, educate employees on phishing awareness, and ensure data security during transit.