Data breach exposes information from thousands of clients of a legal firm

WizCase security researchers reported the finding of a private information leaking incident belonging to thousands of Turkish citizens due to a misconfiguration in an Amazon Web Services (AWS) bucket. This implementation contained information from more than 15,000 legal cases involving a minimum of 5,000 people.

The information was apparently stored by INOVA Y-NETIM & AKT-ERYAL DANI-MANLIK, an actuarial and legal advisory firm that stores statistical and risk analyses. Inova has operated in Turkey since 2021 and has significant business customers.

According to experts, the leak involves sensitive information such as full names, dates of birth, gender and national identification keys. In addition to this information, details about customers’ insurance policies, including the name of the insurance company, file number, start date and term of contract, were leaked too.

Due to the nature of the company affected by this incident, in addition to the details of the clients were also exposed the data of third parties as beneficiaries of insurance policies, police officers working in car accidents, prosecutors, legal representatives, among others. In a secondary file, experts even found scans of confidential documents such as:

  • Photocopies of drivers licenses
  • Photocopies of vehicle licenses
  • Photocopies of alcohol breathalyzer tests
  • Police officers’ accident reports
  • Testimonials

All this information was publicly accessible for any user with the minimum information security knowledge level.

On the causes of this incident, specialists mention that everything happened due to a misconfigured AWS bucket, exposing a database of about 20 GB. This implementation was not adequately protected, so anyone could have accessed and downloaded a large amount of sensitive information.

As mentioned above, the compromised information involves data from people who suffered accidents and filed legal cases in collaboration with Inova between January 2018 and July 2020. While undue access to this information has not been confirmed, the consequences of this incident could be disastrous for both the legal firm and its representatives, involving phishing attacks and malware infection campaigns. Experts say those affected could be exposed to sophisticated identity fraud campaigns, very prevalent in Turkey in recent years. Moreover, since some documents also mention the estimated figures that some accident victims might receive, threat actors would have clear attack targets.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.