Cybersecurity researcher Jeremiah Fowler uncovered a non-password-protected database containing 38.6 million records belonging to Rapid Legal — a legal support services company offering court filing, process serving, and document retrieval services for law firms, legal departments, and self-represented litigants.

Key Findings of the Breach

  • Volume of Exposed Data: The breach involved 38,648,733 records, totaling 38TB of data.
  • Types of Documents Exposed: The exposed data included court documents, service agreements, and payment information, all showing partial credit card details and personally identifiable information (PII).
  • Additional Discovery: Fowler also found references and links to an additional storage repository named Legal Connect, containing 89,745 records with a total size of 249.9 GB. Both companies appear to share the same corporate leadership, with Legal Connect serving as the back-end technology provider while Rapid Legal provides filing services.

Details of the Exposed Data

The non-password-protected database contained a wide range of legal documents, court filings, and other information that should not have been publicly exposed. The documents ranged from 2009 to 2024 and were organized by year, month, and day. In the folders, there were case documents, filed documents, notices, receipts, declarations, exhibit evidence, judgments, and other relevant case files.

According to Rapid Legal’s website, the service has enabled more than 32,000 law firms to file or transmit over 7 million orders and 11 million legal documents both to and from various court systems. While most court documents in the United States are considered public records, certain details remain protected under federal regulations, which mandate the redaction of specific personal information in federal court submissions to protect privacy.

READ
Serbian Police Accused of Hacking Activists’ Phones Using Cellebrite Tools and Spyware

Upon discovering the breach, Fowler immediately sent a responsible disclosure notice to both Rapid Legal and Legal Connect. Both databases were secured from public access the same day. However, it remains unclear how long the data was exposed or if anyone else may have accessed it. Only an internal forensic audit could identify this information or any suspicious activity within the cloud storage environment. As of the publication, neither Rapid Legal nor Legal Connect had responded to Fowler’s disclosure.

Buy Me a Coffee

In a 2023 press release, Rapid Legal announced plans for a national expansion of its LegalConnect platform, with immediate availability in California and Texas and further expansion to a dozen eFiling states, including Illinois, New York, and Florida, by mid-2024. LegalConnect is promoted as the leading eFiling and litigation support services platform for white-labeled service providers and legal technology companies.

This breach serves as a critical reminder of the importance of cybersecurity in the legal services industry. Legal documents often contain highly sensitive information, making them prime targets for cybercriminals. It is imperative for legal service providers to implement stringent security protocols, including:

  • Database Security: Ensuring that all databases are password-protected and encrypted.
  • Regular Security Audits: Conducting regular security audits to identify and address potential vulnerabilities.
  • Employee Training: Providing comprehensive cybersecurity training to employees to prevent accidental data exposure.

Potential Risks and Consequences

The exposure of such a vast amount of sensitive information poses severe risks to the affected individuals and entities. If discovered by malicious actors, this data could lead to various cybercrimes, including:

  • Phishing Attacks: With access to personal information, cybercriminals can craft convincing phishing emails to trick individuals into revealing further sensitive information or accessing malicious links.
  • Identity Theft: The PII exposed in the breach could be used to steal identities, leading to fraudulent activities and significant financial loss for the victims.
  • Financial Theft: Partial credit card details can be exploited for unauthorized transactions, leading to direct financial loss.
READ
WordPress Plugin Vulnerability Allows Hackers to Install Malicious Code

The Rapid Legal data breach has exposed the vulnerabilities in the data protection practices of legal service providers. With nearly 39 million records at risk, the consequences of such breaches can be dire for both individuals and organizations. It is imperative for companies handling sensitive legal information to prioritize cybersecurity measures to protect their clients and maintain trust.