Nearly 39 Million Records Were Exposed Online by Legal Services and Technology Company

In Data Breach News
July 08, 2024

vpnMentor reports:

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained 38.6 million records belonging to Rapid Legal — a legal support services company that offers court filing, process serving, and document retrieval services for law firms, legal departments, and self-represented litigants. The database contained court documents, service agreements, and payment information (all showing partial credit card details and PII).

The non-password-protected database contained 38TB of data and totaled 38,648,733 records. These included a wide range of legal documents, court filings, and other information that should not have been publicly exposed. The documents and name of the database indicated they belonged to California-based legal services provider Rapid Legal. Upon further investigation, I found references and links to an additional storage repository. It was listed as Legal Connect, and it contained 89,745 records with a total size of 249.9 GB. Based on a public web search, both companies appear to share the same corporate leadership and seem to be connected. Legal Connect is presented as the back-end technology provider while Rapid Legal provides filing services to customers and partner affiliates. I immediately sent a responsible disclosure notice to both Rapid Legal and Legal Connect, and both databases were secured from public access the same day. It is not clear how long the data was exposed or if anyone else may have had access. Only an internal forensic audit could identify this information or any suspicious activity within the cloud storage environment. I did not receive any response from either Rapid Legal or Legal Connect by the time of publication.

Read more about the findings and potential risks at vpnMentor.