A recent survey of 500 U.S. law firms by Proton reported that one in five law firms were targeted in a cyberattack in the past year, and 8% of law firms (39% of those who reported a cyberattack) reported losing data or suffering exposure. To make matters even worse, Proton found that 65% weren’t familiar with their legal obligations around breach response.
Law firms are highly desirable targets for ransomware or extortion-oriented gangs because law firms often store very sensitive and confidential files that, in the wrong hands, could cause significant embarrassment or harm to individuals.
But the risk of data falling into the wrong hands is not just from cyberattacks. Much of the risk — and harm — is self-inflicted when law firms fail to adequately configure their online storage accounts and data is exposed. The problems are magnified greatly when the law firm ignores attempts to alert it to a data leak because they are afraid of a phishing attack and do not investigate an alert properly.
For this week’s installment of “No Need to Hack When It’s Leaking,” we give you Brandt Kettwick Defense, a criminal defense firm in Minnesota. Brandt Kettwick Defense had a misconfigured storage blob that was discovered by independent researcher @JayeLTee in early April. How many others may have also discovered it, and for how long it had been misconfigured, is unknown to us at this time, but JayeLTee, noting that files with sensitive information were accessible without any password or login, attempted to alert the law firm to their security issue.
And thus began another time-consuming and frustrating saga in responsible disclosure. The following is a timeline of the efforts made to get Brandt Kettwick Defense to secure their data properly:
- June 4 — JayeLTee emailed a number of lawyers from the firm and submitted a “case evaluation” contact form to alert them. No one responded.
- June 9 — JayeLTee submits another “case evaluation” contact form pointing them to his previous alert. Once again, he received an auto-reply that all case evaluation forms are reviewed and that someone would reach back to him within 24 hours. Once again, they did not respond.
- June 12 — DataBreaches submits a contact form pointing them to JayeLTee’s previous alert, and includes the URL for the exposed blob. She followed up with a phone call to the firm, to tell them to read the contact form to get the URL of their leaking data, but whoever answered the phone hung up on her. DataBreaches called back and again tried to tell them that they had a data leak, and again, the same person hung up on her, saying, “Do not call us again.” So DataBreaches did not call them again, and pursues other methods.
- June 12 — Because there was no option to “Connect” with them on LinkedIn, DataBreaches submits a comment to Brandt Kettwick under their most recent post on LinkedIn. The comment said, “I called you twice this morning to alert you that you are leaking your firm’s files in an unsecured data storage. I sent you a contact form message. Your staff hung up on me twice.” They did not reply.
Brandt Kettwick was leaking files with sensitive data such as interview transcripts of witnesses, including an interview in a sex trafficking case with a video, and we weren’t getting a single reply to our attempts to alert them to their leak.
- June 17 — JayeLTee submits yet another contact form seeking follow-up to his notification. There is still no reply and the blob remains exposed.
- June 19 — JayeLTee emails [email protected][.]gov and the Hopkins, Minnesota police department, and urges them to contact Brandt Kettwick to tell them to secure their files. Neither agency replies.
- June 21 – Security researcher Martin Seeger sends an email to Brandt Kettwick with the subject line, “Ethics complaint against Brandt Kettwick Defense.” DataBreaches does not know if they ever read it, but this, too, received no reply.
- June 21 — Seeger sends an email to a real estate agent whose property was searched subject to a search warrant that is exposed online. Information about the case and alleged conduct of the real estate agent was also exposed without any password required.
- June 21 — DataBreaches forwards a copy of JayeLTee’s email to the FBI and Hopkins police department to the two agencies and asks what they have done in response to his June 19 email. Neither agency responds.
- June 23 — DataBreaches forwards JayeLTee’s email to the FBI and Hopkins to the Anoka Police Department after realizing that Brand Kettwick has an office in that county. They, too, do not reply.
- June 25 — DataBreaches reaches out the Minnesota Bureau of Criminal Apprehension (BCA) via their media contact and explains the situation and all of the efforts made to contact the law firm. The email includes a few examples of BCA files with sensitive information that are in the exposed blob. Within two hours, the BCA responds:
Thank you for bringing this matter to our attention. BCA leadership and legal staff have been made aware of the issue and we are taking immediate steps to properly notify the law firm.
- June 29 — Brandt Kettwick’s blob remains unsecured. Seeger posts on infosec.exchange asking if he has any contacts with a connection to Brandt Kettwick. Several of his contacts respond and indicate willingness to help. Great thanks to Tony Yarusso, who contacted a mutual friend of the firm’s partners, and Brad Koehn, who reached out to the Hopkins police department. We do not know what happened as a result of their efforts but greatly appreciate their efforts to help.
- June 29 — DataBreaches emails BCA again and asks for an update, informing them that the name of the nonresponsive firm has now been made public with the fact that they are exposing sensitive files. The BCA responds the next day:
Thank you for checking back in and for providing that update. Our office continues to attempt contact with Brandt Kettwick through multiple communication channels, but have so far been unsuccessful in reaching the appropriate people. We are committed to seeing a successful outcome and will continue our due diligence until the matter is resolved.
I will be in contact with an update once I have new information to share.
- July 1 — A check of the blob shows that it has been locked down.
- July 2 — The BCA emails DataBreaches with an update:
Following your June 25 email regarding the exposure of unredacted BCA files, our office took immediate steps to address the issue. We made several attempts to contact Brandt Kettwick, including multiple emails and voicemails over the course of several days.
We received their first response on Monday, June 30. In their reply, the firm indicated that, due to the frequency of spam emails, they were unwilling to open the provided links. They also stated their IT department had assured them their systems were secure. To address their concern about the links, we involved our Information Security Officer to verify the legitimacy of the links and offered support from our team to assist with data removal.
After receiving no further communication, we sent BCA personnel to the defense firm offices in person to convey the seriousness and urgency of the matter. As a result, the exposed links now appear to have been removed. We also took steps to notify the victim in one of the affected cases about the exposure of their information.
In your initial email, you mentioned the shared links were only a sample of the exposed files. Please don’t hesitate to let us know if you identify any additional instances that require attention.
Thank you again for bringing this matter to our attention and helping ensure this sensitive information is properly protected.
So the Bureau of Criminal Apprehension couldn’t get action from the firm either until they sent someone to their office to make it clear how serious this was? Wow.
What Happens Next?
DataBreaches commends and thanks the BCA for their prompt and persistent efforts to get Brandt Kettwick Defense to lock down their data. But that should not be the end of this story.
Brandt Kettwick failed to properly secure files that needed protection. What are they doing to ensure this doesn’t happen again?
Brandt Kettwick failed to have something on their website to inform people how to alert them to a data security issue. What are they doing to ensure they receive security alerts in the future? Will they create a security@ email address that is monitored and that is displayed on the home page of their website with a note that security alerts can be reported to that email address?
“The standard RfC 9116 provides a good guideline on how to make contacts known to security researchers and thereby avoid embarrassment.” — Martin Seeger
Brandt Kettwick failed to respond properly to multiple alerts. It is one thing to be leery of a phishing attempt, but if you are looking at a URL with your own name in it and you don’t recognize it, you need to escalate the alert to someone who will look at the URL and investigate it. What is Brandt Kettwick doing to train all employees what to do if any alert is received?
Brandt Kettwick claims their IT department told them they were secure. Did Brandt Kettwick actually show them the emails from JayeLTee, DataBreaches, and Seeger with links to some of the exposed files as examples? And is their IT department in-house or outsourced?
Who Will Be Notified?
Does Brandt Kettwick have access logs going back before April of this year? When was this blob first misconfigured?
How many unauthorized IP addresses accessed, viewed, and/or downloaded files? Did China scoop up all of the law firm’s files while the files were exposed? Did Russia? North Korea? They probably all have the data by now. Did our own government who wants a huge database on the citizenry scoop up a copy of the data? Did threat actors who will use the data to try to extort the law firm, or failing that, try to extort the clients download copies of the data?
Some files may be public records, but other files look they would not be. Does Brandt Kettwick intend to notify everyone whose personal information was exposed in files that were not public records?
What state regulator, if any, will Brandt Kettwick Defense report this incident to?
We’d love to tell you what the law firm is doing as part of its incident response, but none of us have heard from them at all.
Same Old, Same Old
When all is said and done, this is just another frustrating and preventable leak that took too damned long to close down because entities are not required to have notification systems in place, nor procedures for escalating and investigating alerts from third parties.
Some state attorneys general actively investigate and sue businesses that fail to protect residents’ personal and sensitive information. DataBreaches does not know if Minnesota Attorney General Keith Ellison ever investigates incidents like this one, but this is an opportunity for the state to make a strong statement about the need for businesses to properly protect personal information and to respond to security alerts.