Data Breach: Turkish legal advising company exposed over 15,000 clients

Data Breach: WizCase team uncovered a massive data leak containing private information about Turkish Citizens through a misconfigured Amazon S3 bucket.

The server contained 55,000 court papers regarding over 15,000 legal cases, which affected hundreds of thousands of people.

What’s Going On?

Our online security team has uncovered a massive data breach originating from a misconfigured Amazon Bucket, which was operated by a Turkish Legal advising company, INOVA YÖNETIM & AKTÜERYAL DANIŞMANLIK. Inova is an actuarial consultancy company, which means they compile statistical analysis and calculate insurance risks and premiums. Inova has been operating since 2012 and has handled thousands of cases since then.

While Amazon offers the necessary tools to secure their services, Inova has not implemented these measures properly.

Data leak discovered: 30.09.2020Inova contacted: 01.10.2020Amazon contacted: 06.10.2020Turkish CERT contacted: 05.10.2020Response received: –Server secured: 12.10.2020After further investigation, we have concluded that these documents belonged to people injured or deceased in traffic accidents. All court cases had several types of documents containing the following info regarding the victim:

PII’s such as:Name and SurnameNational ID numberGenderMarital StatusBirthdateDetails about the insurance such as:Insurance Company Details/NameDossier NoPolicy Issuance dateVictim’s past and future expected salaryAccident details such as:Accident’s/Death’s dateReport DateFault rate

Document included in every court case, showing personal information about the victim

Document showing victims salary before the accident as well as expected future salary prior to the accident

Some of the court cases had more information about the victim or involved other people. This included parties such as victims beneficiaries, other parties involved in the accident, police officers, prosecutors.

While investigating, we have also stumbled upon the following kinds of documents:

Documents sent to insurance companies containing:Name and surname of involved partiesVehicle license platesDate of accidentSeverity of the injuriesIncident reports taken at the accident site by the police officers containing:Detailed information about how the accident took placeVehicles involved and damages caused to themBoth parties insurance informationDrivers names, surnames, national ID’s, birthdates, phone numbers, driver’s license informationA summary of the accident in handwritingSketch of the accidentInformation about the police officers who held the reportPhotocopies of drivers licensesPhotocopies of vehicle licensesPhotocopies of alcohol breathalyzer testsPolice complaints post-accident containing:Name surname of the complainantMothers and fathers namesBirthplace and birthplaceResidency addressProfessionPhone numberEducation levelMarital StatusGenderSignature of the complainantTestimony of the other party containing:Name surnameNational identifierMother and father’s nameBirthdate and birthplaceResidency addressProfessionWorkplace addressEmailPhone numberEducation levelMarital statusGenderSignatureJudicial committee reports containing:Name, surnameBirthdateNational IDBirthdatePhone numberMedical historyReports from multiple hospitals about the victim’s injuries and the conditionSymptomsAdministered drugsEpicrisis reportDecisions like how long the victim will need care, how long they can’t work forDoctors nameHospital dossier noAdvance capital value reports containing how much money is owed by the insurance to the victim,Documents sent to court in objection to court experts’ calculation of how much insurance companies owe each of the victimsLegal papers includingName surnameAddressNational identifierBank account detailsPower of attorney informationEmails between lawyers and the clients

Police report containing accident details, as well as involved parties phone numbers, driver’s license information, name-surname, and national identifier

Sketch of the accident from the police report

Document sent to the insurance company by the victim’s lawyer

Post-trauma health report about the accident

How Did the Data Breach Happen?

This breach originated from a misconfigured Amazon S3 bucket, which contained 55,000 crucial court documents Inova was involved with. These documents’ total size was more than 20GB, and it was accessible by anyone who found the S3 bucket. They required no authorization to access, meaning anyone could access this bucket and download massive amounts of personally identifying information about Inova’s clients.

Whose Data was Exposed and What Are the Consequences

Leaked data contained information about more than 15,000 clients of Inova, people who had accidents and hired Inova between the start of 2018 and end of summer 2020. If you had a traffic accident in the last 5 years, odds are Inova was involved with your court case at some point. Although your data may not have been found by anyone else, in case any ill-intentioned hacker discovered it, here are some of the risks people exposed could face:

Phishing Scams and Malware

People whose data might have been exposed need to be extra careful since they can run into scammers masquerading as law enforcement, prosecutors, or lawyers. Scammers like this are pretty common in Turkey. The leaked information also contained the amount of relief funds victims and their families received, so scammers could target people who recently received large amounts of money from the court.

Since these documents also leaked information about the court case that only lawyers, insurance companies, and other officials should have access to, like dossier number, accident details, client details, as well as phone numbers; always be sceptical about people calling you about your past court cases and asking for money or information.

Identity theft

With large amounts of identity information being leaked about the clients in this breach, criminals can use it for identity theft. With details like a client’s beneficiaries, national ID numbers of them and their beneficiaries, and phone numbers being leaked, some of the more elaborate identity theft cases could be executed. With some social engineering, bad actors or criminals could contact a GSM operator, masquerading as the victim, and verify all kinds of verification questions GSM operators would ask to clone a SIM card.

After having access to victims’ phone calls and SMS messages, bad actors could then try to do the same operation with clients’ insurance and bank.

Corporate Espionage

Some competitive corporations will be able to contact individuals whose court information was leaked and try to convince them to hire their company instead. This is made easier since competitors will have access information from Inova’s clients.

Blackmails and Threats

Leaked documents include information such as police officers who have kept the reports; documents sent to prosecutors from police officers; names and surnames of the judicial committee members. Personal information like this could cause these individuals to be harassed or blackmailed by people involved in such cases since their identities have been leaked.

Bribing

With the amount of sensitive information in these papers, people involved in one of these cases could attempt to find and track other people involved in the case. This will lead to a rise of attempts to bribe officers to make decisions favoring them, bribe them to suppress them, or change their statements.

What Can I Do to Protect My Data?

With cases such as these, it is unusually difficult to protect your own data because it is often in the hands of the company you are working with. Make sure to send only the necessary information they need and ask them what kind of security measures they are taking to keep your private data private. If you are a European citizen, contact the company that needs your private information and ask them what kind of measures they implemented to comply with GDPR laws.

In this particular case, Turkey has its own set of laws against the improper handling of personal data, named KVKK. We highly recommend people to reach out to Inova and make sure the leak is properly handled. In any case, never trust anyone asking for personal data over the phone, if you receive calls related to your accident, please inform your contact at Inova and make sure the request comes from them.

How and Why We Discovered the Breach

At Wizcase, we are constantly scanning random parts of the internet to find data breaches and to get the data secured before criminals can find and abuse it.

As this bucket was left public, without any configuration to protect the files, it could have been discovered and accessed by anyone with the URL. We’ve seen that this bucket also contained technical logs from the company infrastructure that was not accessible to us without proper authorization. Even though authorization mechanisms were there, they were not in place to adequately protect the important files that were found inside the bucket.

Who is Wizcase?

WizCase is one of the biggest international online security websites, with content translated to 30 different languages. We provide tools, tricks, and best practices for online safety and security. This includes detailed VPN reviews and tutorials.

Our online web security team of White Hat hackers have uncovered some of the most significant data breaches, including unsecured webcams and dating site scandals.

Not only do we release our reports to the public, but we disclose them to the company as well, allowing them to secure their serves and creating a more secure environment for everyone.

Author the author: Chase Williams

Original post: https://www.wizcase.com/blog/inova-breach-research/

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Data Breach)

The post Data Breach: Turkish legal advising company exposed over 15,000 clients appeared first on Security Affairs.