DataBreaches recently reported that researchers had discovered two courts had sealed filings and court records exposed, but the vendor responsible wasn’t responding to notifications.
Despite months of trying to get a software vendor to respond to alerts that their clients’ files are exposed on the internet — including confidential and sealed court records — the vendor did not respond.
The software vendor is Software Unlimited Corp in Tupelo, Mississippi. Please do not confuse them with Software Unlimited, Inc., which markets K-12 school accounting software. Software Unlimited Corp provides criminal and civil case management software for prosecutors.
After also sending notifications to the affected courts, one of the courts had its local IT vendor call SUCO about the issue. SUCO reportedly told them that the problem was “fixed,” but the employee had only relocated the Samba share to another IP address. The client discovered the new IP address within minutes and saw that their data was still exposed. They subsequently instructed SUCO to take the share down.
So, there was one entity down, but the second entity’s larger share was still exposed.
DataBreaches emailed the second entity again yesterday. This time, the email was read by someone who immediately recognized it as legitimate and urgent. Within an hour of receiving the email and reviewing our earlier post, the entity instructed SUCO to remove its share entirely.
In a follow-up phone call, DataBreaches learned that when the entity had contacted SUCO previously after receiving one of our alerts, SUCO reportedly told them that everything was fine and that there were always a lot of scam emails.
Two clients who reported the issue to SUCO were told that everything was fine when their data was exposed. How many other clients still have their Samba shares exposed? We do not know, but SUCO clients using their software on a hosted platform should have a security professional investigate the security of any Samba shares to ensure they have adequate protection.
And since it’s Cybersecurity Awareness Month…
And on this last day of Cybersecurity Awareness Month, DataBreaches urges everyone to check the home page of their website and ensure it includes contact information for third parties to report any security incidents, or that such information is included in a security.txt file. Neither of the two entities in this incident had provided any clear means for third parties to alert them to a security issue.
Do not count on people spending a lot of their time trying to find some way to reach you to report a data security issue. Post something on your home page that tells them how to reach you, and monitor that account or method.
—
This post was edited post-publication to correct a sentence referring to a security.txt file.
For folks looking to help RFC 9116 is now ratified – as indicated in this post – placing a security.txt file in a well known location is a great way for folks to get in touch in the case of a security issue.
https://www.rfc-editor.org/rfc/rfc9116
Also – RFC 2142 indicates that a mailbox security[@]domain should maintained and monitors for exactly these situations
https://www.rfc-editor.org/rfc/rfc2142
Unfortunately – both of these RFCs are “optional” – but I encourage folks to adhere to them nonetheless.