Advanced says exposed client data was on “historic software platform”

Sensitive client data has been found in a historic Laserform database accessible via a browser. Laserform was acquired by legal software provider Advanced Computer Software in 2006.

The database was discovered by information security startup TurgenSec, which recently exposed an open Virgin Media database that contained information linking customers to pornographic sites.

TurgenSec first published high level, no name details of the security failure on 27 April. An investigation by the FT published today (4 May) has named Advanced: it claims that a data security flaw has left more than 10,000 legal documents containing sensitive details of commercial property owners unsecured for years, potentially affecting the clients of about 190 law firms.

However, Justin Young, director of security and compliance at Advanced, told Legal IT Insider that much of the data discovered was publicly available information submitted to Companies House and therefore available in the public domain.

TurgenSec has now published on its website an updated statement naming the 190-plus law firms that are allegedly affected. They include many of the biggest global law firms and, as cited by the FT, three magic circle law firms.

According to TurgenSec’s report, the primary data available for all firms affected included user ID, username, hashed password, and organisation. In addition, it claims that some of the databases included company details, town of birth, telephone numbers, national insurance numbers, passport numbers, mother’s maiden name and eye colour.

Young told Legal IT Insider: “A number of these fields were blank fields with no data populated, the remainder contained only the first three digits or letters.”

Young said: “We discovered some exposed data on one of our historic software platforms and took immediate steps to address the issue, secure the data and make contact with the small number of affected customers. 

“The data in question related to commercial property transactions and was largely of public record [published via Companies House] and pre-dated 2017. The data which was not subsequently included in public records consisted of business email addresses, passwords and security verification responses.

“The passwords on the affected platform were all in secure hashed form. The security verification responses on the affected platform consisted of the first three letters of the response only and therefore resulted in a very limited amount of additional information being discernible from the platform. None of the data is deemed sensitive or special category under current legislation.  We have taken legal advice to verify our position.”     

Advanced says it has not reported the incident to the ICO due to the fact that the data is largely in the public domain, in line with independent legal advice.

Advanced also owns Oyez Professional Services, which it bought in 2019, and Tikit, which it acquired this year.

TurgenSec discovered the database while conducting R&D for a new product called Exosystem, which monitors data leaks in third-party suppliers.