Please see updates below this post, as the bar association disputed any claims that they were hacked and asked DataBreaches.net to remove the post.
If they would prefer “unauthorized access” to “hack,” well, okay, but they need to secure their files better, even if they are public records.
Original post:
You’ve probably seen some articles reminding law firms to secure their data better, as they hold a wealth of confidential personal, financial, medical, and corporate data.
But now it seems that the Florida Bar Association itself has been hacked. No, they don’t contain the vast troves of sensitive personal and corporate law data that their members’ networks maintain, but still, it should be somewhat embarrassing.
According to the bar association’s web site, the Florida Bar is the organization of all lawyers licensed by the Supreme Court of Florida to practice law in the state. Any lawyer who wishes to practice in Florida must be a member. And according to their statistics, there are currently 85,038 members in good standing who are eligible to practice plus an additional 4,210 who are in good standing but not eligible to practice, and 13,535 more who are not eligible to practice (for a total of 102,783).
On September 22, a hacker or hackers associated with a former Palm Beach County Sheriff’s Office deputy who has a long-standing dispute with Florida law enforcement that appears to have gotten him raided by the FBI managed to access and acquire what appears to be their entire database. In a lengthy post about the hack and database dump, they describe the data and comment on it (Caution: their post uses language or imagery that some readers may find offensive). They also parse the data. Here are just some of the data they report:
158,385 email addresses
219,139 office phones and cell phone numbers
84,772 fax numbers (who would have known? I haven’t seen a fax machine in 10 years)
226,928 mailing addresses
And in what will likely make some lawyers unhappy, the hacker(s) also analyze the disciplinary files in terms of which lawyers received the most bar complaints, and they include a rank-ordered list.
The hacker(s) helpfully, if impolitely, give the bar association a clue as to how secure their network better:
I recommend the Florida Bar do something about their JSON outputs to prevent their data fro leaking like Chief Deputy Gauger’s dick after banging a crack whore with syphilis.
The association’s web site, which had been reported by the hacker(s) as being down on Thursday was online when DataBreaches.net checked the site last night. There does not appear to be any notice or mention of the hack or data leak.
DataBreaches.net emailed the bar association to inquire as to what they were doing in response to the breach, but has not heard back by the time of publication. This story will be updated as more information becomes available.
Update 1: The Florida Bar Association’s initial response, received this morning, was to say that their servers were not compromised at any point. As per their policy, they would not open attachments or access the data dump, so I have sent them data/records that include file sizes and number of records, etc., and asked them to have their IT folks take a close look at it. In any event – and the bar association is quite correct on this point – all of the information is public records. But as with voter registration lists, just because information might be public records, that doesn’t mean that a server wasn’t accessed improperly. This post will be updated again when I get a statement after they look at some of the data.
Update 2: The bar associations sent a follow-up response stating:
Our servers did not experience a data hack. The information referenced is public record under Florida law.
One has nothing to do with the other, and there’s no explanation of how those who posted the data dump would have acquired .sql databases with timestamps on records. DataBreaches.net has reached out to pbsotalk.ru web site for a response to the denied hack, and will update this post yet again if more information becomes available.
Update 3: The Florida Bar Association’s request that this post be removed is being denied, because you can quibble, perhaps, about what the word “hack” means, but as one infosecurity professional DataBreaches.net consulted with said, this was “unauthorized access” because while it may be public records, the records were not obtained via the public records access process.
DataBreaches.net also consulted with Steve Ragan, Senior Staff Writer for CSO, who commented:
From the way the hackers describe the compromise, this is a WebAppSec problem. That most of the records could be discovered in public archives is besides the point. The records were housed in a single location. That the attackers were able to obtain them all in a single pass via configuration issues or application vulnerabilities makes this a hack, not a data leak.
Finally, the hackers sent me an mp4 file showing exactly how they could access what they report was 259,969 records. I am considering uploading the file as proof, but am a bit reluctant to for concern that others may exploit this.
DataBreaches.net would encourage the Florida Bar Association to pay attention to the hint the hackers left you about JSON outputs. Claiming that something is public records does not negate the association’s responsibility to adequately secure them.
The bar association may not have been hacked, but their response is far from reassuring. If the responder truly doesn’t understand the difference between the database being hacked and where else someone might find this data, it is apparent that whoever (whomever?) is responding to your inquiry isn’t the person that should be looking into this for the association. Likewise, while I understand the unwillingness of a layperson to read the data or open attachments, a security professional could easily do so for them so that they could properly address the possible breach and their potential liability. You’d hope one of their members would point this out.
I’m not done with this one yet, as you might guess. And at each stage, I have asked that to have their IT department involved.
I have been sent more data – and I cannot find the corresponding records through the public’s access via the front door of the site. Nor am I sure whether the data I was sent would even be public records. Even if they are, however, if they’re not obtainable through the front door, then the bar association did have a vulnerability that got exploited. If they keep insisting that they weren’t hacked, then maybe I should ask them what they mean by “hacked.”
Update: OK, I was subsequently able to find the data, but I have also been sent a demo of how the sql files were accessed.
The bar’s site offers a lot of data on its members and the directory is available over unsecure HTTP, example below. I can find 127,884 results through the front door, with enough data that a ransomware miscreant should have a field day. But apparently this information is required to be available under Florida law. Are you seeing even more data elements than show at the following link?
http://www.floridabar.org/wps/portal/flbar/home/attysearch/mprofile/!ut/p/z1/jY_LDoIwFEQ_qdMKLSyvBkmLWOMDoRvTFWmi6ML4_ZLGjQvQ2d3knNwZ5ljL3OBfoffPcB_8dbw7Jy8QouD2AFMa4qBqn-5MXQFCsnME6pwTTzKYLKE1dKMarY5c0DZl7h9_Boj-RAij775fWKlWILtBXhRLoFx8gImKsHweiBt-tXjcTi2C7t–_LSO/dz/d5/L2dBISEvZ0FBIS9nQSEh/?mid=30025
The hackers inform me they acquired 259,969 records. See Update 3 to the post.