In a special edition of “No need to hack when it’s leaking,” DataBreaches reports on a software vendor that, despite multiple attempts by multiple parties, continues to expose confidential and sealed court records.
Overview
As a matter of policy, DataBreaches does not publish unredacted stolen or leaked data if it would expose personally identifiable or protected health information.
As a matter of policy, DataBreaches does not report on misconfigured storage devices until they have been secured.
And as a matter of policy, DataBreaches does not advise readers to avoid doing business with a firm, or cancel any contracts, or sue them.
Some of the above is about to change. Despite months of trying to get a software vendor to respond to alerts that their clients’ files are exposed on the internet — including confidential and sealed court records — the vendor did not respond.
The software vendor is Software Unlimited Corp in Tupelo, Mississippi. Please do not confuse them with Software Unlimited, Inc., which markets K-12 school accounting software. Software Unlimited Corp provides criminal and civil case management software for prosecutors. See the “About Software Unlimited Corp” section of this report for more information about the firm.
Redacted examples of just a few of the exposed files are included later in this report.
Chronology
The following is a partial chronology of the numerous efforts to secure exposed shares containing state-level and county-level court records and prosecutors’ files. While many files are public records, researchers discovered confidential and sealed records that were also being exposed. Many of the files involved juvenile court filings and records related to court cases.
By now, the effort to secure the exposed shares has included three researchers, DataBreaches, Mandiant, one FBI agent, and one IT vendor who has tried to assist one of the affected counties. To protect individuals from potential harassment, DataBreaches is not naming any of the individuals publicly. Nor will DataBreaches disclose the states and counties whose records have been or are being exposed. We may reveal their identities in a future post.
July 16, 2025: A researcher known to DataBreaches contacted this site to report finding exposed court records that appeared sensitive. The share appeared to contain data from a single state, specifically one county within it. The share was exposing more than 100 GB of files.
We suspected it might be a vendor, but we were unable to identify with certainty who was responsible for the share.
July 17 – 18, 2025: A second researcher, also involved in the discovery of the exposure, emailed the state and county to alert them. He received no replies, so he expanded the contact list and sent additional alerts the next day. He still did not receive any replies.
July 22, 2025: One of the researchers discovered a second IP address with an exposed share containing the same types of records. That share, involving records from a second state, exposed more than 770 GB of files, including confidential and sealed records.
Note: Since that time, the researchers periodically checked the shares to determine if they were still exposed and being updated (they were).
July 28, 2025: By this point, we were pretty sure that Software Unlimited Corp was the software vendor responsible for the shares. However, we chose not to contact them directly, as we were not totally sure, and we did not want to risk revealing files they had no right to access. Instead, DataBreaches reached out to a contact at Mandiant because Google was hosting the shares. DataBreaches explained the situation regarding exposed sensitive and sealed court records and requested that they contact their client(s) about the exposed shares. Google could not disclose its client’s identity to DataBreaches due to confidentiality, but later confirmed to us that it had reached out to its client and alerted them to the exposed shares. When DataBreaches asked whether they notified a “client” or “clients,” they responded that it was one client for both IP addresses.
When shares were still exposed weeks later, DataBreaches reached out to Mandiant again to ask them to contact their client again. Once again, they reportedly did alert their client.
August 12, 2025: DataBreaches contacted a criminal defense attorney to inform them that their client’s sealed records were exposed on the internet. The contact form message urged the lawyer to notify the state or county that the data had been exposed. The message included their client’s case number and details, but the lawyer never responded to DataBreaches. Whether he ever contacted the court or the county is unknown to DataBreaches.
August 14, 2025: DataBreaches sent a detailed email to the only email address Software Unlimited Corp listed on their site. They did not reply, and the shares remained exposed.
August 15, 2025: DataBreaches called Software Unlimited Corp. A woman answered the phone, but when DataBreaches started explaining that she was calling about a data security issue, the woman hung up without explanation. The whole call lasted 13 seconds. DataBreaches called back. No one answered, and the call went to voicemail options. DataBreaches left a detailed voicemail for the administrator during a two-minute call. They did not call back, and the shares remained exposed.
Hours later, DataBreaches contacted the Mississippi FBI field office in Jackson, requesting that they either knock on Software Unlimited Corp’s door or call them. Upon learning that the software vendor’s clients were also located in other states, the Mississippi field office employee requested that I report this as a tip to the national tip line at IC3.gov. DataBreaches did that, and a screener eventually called to ask questions and gather some information. Neither the Mississippi field office nor anyone from the national tipline followed up with DataBreaches.
At some point (DataBreaches does not remember the date), DataBreaches also left messages for Mike Dillard and June Geddie of Software Unlimited Corp on their LinkedIn accounts. As of today, those messages are still “pending,” meaning they have never been read.
DataBreaches also sent an updated email to one of the affected entities, informing them that Software Unlimited Corp was the responsible party and they should contact them to get the exposed share locked down. They did not reply.
August 16, 2025: DataBreaches re-sent the detailed email to Software Unlimited Corp, hoping that if the FBI had called them, the email would be read and addressed. They did not reply.
August 18, 2025: DataBreaches filed a formal watchdog complaint against Software Unlimited Corp with the Federal Trade Commission, seeking injunctive relief and whatever remedies the FTC would find appropriate.
By now, a third researcher had joined the effort. In his research, he discovered additional IP addresses that had been exposed and that appeared to be linked to the same vendor. He also found that all of the exposed shares were using the same (probably default) password for their MySQL database.
One of the third researcher’s most interesting findings involved a prosecuting attorney’s share from a third state, which had been encrypted with timestamps showing dates in early March 2025. Had Software Unlimited Corp’s failure to secure that client’s share resulted in all of the files being encrypted? DataBreaches does not know, but it seems possible.
By now, we had a list of six IP addresses that had all had, or still had, exposed shares. The researchers had found indications that IP addresses owned by the vendor had been exposing court and county records intermittently since 2024. Some of the shares that were currently exposed had previously been on other IP addresses and had also been exposed on their previous IP addresses.
August 27, 2025: At some point, one of the entities that DataBreaches emailed on August 15 reportedly contacted their local IT vendor to ask for his help understanding our email and responding to it. That local IT vendor, who was not responsible for the share but was trying to help his client, contacted DataBreaches. After a phone call, the county followed up by hiring another vendor to replace Software Unlimited Corp, but the share remained exposed on the IP address.
September 19, 2025: Someone from the second state’s judicial security team contacted DataBreaches in response to another email sent to a court clerk in that state earlier that day. The security professional had reviewed the files attached to the email and concurred that they were real and confidential, and therefore should not be exposed. DataBreaches responded to his email and provided him with the share’s IP address and other information that they requested. DataBreaches never heard back from them, however, despite sending a follow-up email and calling him.
October 8-9: We were on the verge of admitting defeat in our attempt to secure the shares without publicly revealing the situation. DataBreaches sent one more round of emails to the two states/counties, informing them that we would publish after 48 hours.
October 11, 2025: The local IT vendor who had called DataBreaches in August on behalf of the first state’s county contacted DataBreaches again to report he had reached Software Unlimited Corp by phone, and that Mike Dillard had assured him that the problem was “fixed.” Dillard reportedly also claimed that the researchers had used “hacking techniques” to access the data. Although the share was now timing out, the local vendor suspected that the share had just been moved to another IP address. Within a few minutes of searching, he found where it had been moved to, and yes, it was still unsecured.
In a subsequent follow-up with DataBreaches, the local IT vendor stated that the following day, he and a representative of the county’s Forensic IT team called Software Unlimited Corp again and instructed them to shut down the virtual host.
As to the second state — the one with 770 GB of files exposed — its share is still exposed as of this writing. DataBreaches has no idea why they didn’t follow up after they seemed to understand the situation.
So Here We Are Now
As noted earlier in this article, this is only a partial chronology of all the calls, emails, and efforts made to get Software Unlimited Corp to lock down two exposed shares. Databreaches does not know how many other states or counties may also have their shares exposed, or for how long they have been exposed.
How many reports have we seen about Russia, China, and North Korea hacking into government agencies to obtain information? Have all of this vendor’s cloud-hosted files already been compromised by adversaries or criminals without any hacking required? We don’t know.
For how many years has this firm failed to secure clients’ data adequately? We don’t know that, either, but this situation and the vendor’s incident response — or lack thereof — is totally unacceptable.
DataBreaches is grateful for the dedication of the researchers who discovered and investigated these leaks and who donated so much of their time trying to ensure these shares were locked down. Thanks also to Mandiant and to an FBI Cyber agent in another part of the country. After I subjected the agent to one of my rants about the government’s failure to have a centralized method for reporting leaks that the government would then handle, the agent emailed and called the president of Software Unlimited Corp to alert them to the leak. They didn’t reply to him, but at least he tried. His last email to me on the subject said he hoped this incident would not end up in the “No need to hack” series, but alas, that’s precisely where it is.
Confidential and Sealed Files Exposed
To protect files that are still exposed, DataBreaches has not listed IP addresses, specific file names, entity names, or locations in this article. But we do want readers to understand that for at least months, and likely much longer, confidential and sealed records have been exposed.
The following are highly redacted examples of the kind of files that were exposed without any security, even after court orders presumably resulted in them being sealed. Other files may not be sealed but appear to be confidential. Some of these files are very recent.
The first image, below, is part of an email chain of plea negotiations between a county attorney and defense counsel for someone charged with possession of a controlled substance and other charges. The more recent email from the defense counsel is at the top, and the county’s original offer is below that. Subsequent emails between them, also exposed, show what the defendant ultimately agreed to after further negotiations between the prosecutor and defense attorney. While the results of the plea agreement become public record, negotiations between attorneys are confidential and not public records. Yet these records have been exposed.
The second image, below, is just one of many, many files concerning juvenile criminal cases. Many of the cases, like this one, involve drugs, and the child’s records were ordered to be sealed. However, the court’s attempt to seal the documents to protect the child failed because the software vendor had not adequately secured the share. There are many such exposed files with children’s names, date of birth, charges, history of a case, witness statements, and more — all exposed.
The third image below is included to show how some of the exposed files contain extremely sensitive information. This is just the first page of a multi-page file from a case where a child accused their great-grandfather of sexual abuse. In this section of the medical evaluation report, the medical examination of the child is discussed. The child’s name, their father’s name, and their great-grandfather’s name all appear in the file, as do many other details and past histories. None of this record should be publicly available. However, due to the failure to secure the share properly, it is exposed. It will remain exposed until the client contacts Software Unlimited Corp to have the share shut down or appropriately secured (and not just moved to another IP address). DataBreaches notes that this particular file was generated and uploaded after the county and state were notified of the exposed share. Perhaps if they had responded and followed through, this file would never have been exposed and wouldn’t still be exposed.
The images above only hint at the risk associated with sealed or confidential files being exposed. Consider witness statements that include demographic/identifying information about the witnesses, along with their statements that have been leaked publicly. Will some witnesses now be at greater risk of retaliation or violence in some cases? Think about kids who have been arrested or charged with drug-related charges and whose records have been sealed to give them a chance not to have that record follow them everywhere, but now it will. Think about people who may have been charged or arrested on domestic abuse or child abuse charges, and all of the details are made public, including the names and ages of children and what happened to them. Think about cases with lurid information in what should be sealed court filings being made public, even when the defendant has been acquitted or charges were dismissed.
What to Do?
Current clients using this vendor’s software with cloud hosting installed by Software Unlimited Corp should immediately contact their IT department or consultant to investigate whether their cloud-hosted shares are correctly secured. Whoever does the investigation will need to know the share’s IP address and how to access Samba (SMB) shares. DataBreaches suggests that clients not just take the vendor’s word for it that the problem is “fixed.”
All former and current clients of Software Unlimited Corp who had the vendor handle the cloud storage of their share should also contact the software vendor and request at least six months of access logs to their data.
DataBreaches does not know for how many years or months Software Unlimited Corp may have been failing to secure shares properly. Past and current clients will need to investigate, but they won’t investigate or take action if they are unaware of the problem. Please help inform other entities that might be at risk.
DataBreaches considered asking CISA or the FBI to issue an alert to clients of this vendor. However, with the government shutdown and two-thirds of CISA furloughed and many remaining employees reassigned to deportations instead of cybersecurity, it’s unclear what, if anything, either agency would do at this point.
About Software Unlimited Corp
Software Unlimited Corp (Software Unlimited Corp) has its registered address as 132 Robins Street, Tupelo, Mississippi. The property is owned by Software Unlimited Properties, LLC, which has its principal office at 922 Lynn Circle, Tupelo, Mississippi. Rowland H. Geddie was the founder of Software Unlimited Corp. June Geddie is the CEO. Mike Dillard lists himself as the Senior Technical Services Specialist / Lead Installer Trainer at Software Unlimited Corp.
Software Unlimited Corp makes software oriented towards prosecutors and case management. Their products include Prosecutor Caseload Management, Prosecutor Victim & Witness Management, Hot and Worthless Check Management, Pretrial Diversion and Restitution Accounting, Document Management System for Prosecutors, Child Support Case Management, and Civil Case Management.
NOTE: If any national news site or media outlet wishes to report on this incident, feel free to email this site or reach out to DataBreaches on Signal to discuss whether we can provide more data or details for your reporting. If you are a customer of Software Unlimited Corp who discovered that your data has been exposed, DataBreaches would like to hear from you. Please email SUCO_report@databreaches[.]net.
I imagine that this kind of leak is not so uncommon with CMS vendors for county governments. I personally work with similar CMS vendors using outdated NAS devices with insecure SMB shares, and the company I work for has had to fight with said vendor to implement any kind of security on their end. Fortunately, as we control the networks these devices reside on, we can and have protected our networks where possible to prevent situations like this article addresses.
More often than not, I have experienced combative behavior when trying to facilitate conversations with similar vendors to cooperate with us in securing a client environment.