Data security flaw exposes details of thousands of legal documents


A data security flaw has left more than 10,000 legal documents containing sensitive details of commercial property owners unsecured for years in an online database, potentially affecting the clients of about 190 law firms.

The cache of documents, which included Companies House property transaction forms containing authentication details such as email addresses and passwords, had been scanned and uploaded by legal firms — including three of the “magic circle” — using a product from Advanced Computer Software, Britain’s third-largest software company.

Justin Young, director of security and compliance at Advanced, said in a statement: “We discovered some exposed data on one of our historic software platforms and took immediate steps to address the issue, secure the data and make contact with the small number of affected customers.”

The flaw was first discovered by TurgenSec, a small British technology company, which contacted the law firms it saw named in the exposed data earlier this month and subsequently informed Advanced.

TurgenSec said in a statement that leaving a security hole open for an extended period of time exposing authentication and other details was serious.

Though the exposure of legal documents is of a different scale to recent incidents — including at Virgin Media and British Airways — involving much larger customer databases, the inclusion of authentication information raised concerns about the potential impact if the exposed data fell into the wrong hands.

“Due to the sensitive nature of the data, we judged there to potentially be a high risk of harm to the individuals and firms involved,” TurgenSec said.

Advanced said that the data, which related to commercial property transactions and predated 2017, was largely of public record. However business email addresses, passwords and security verification responses were also in the database. These could have included passwords, eye colour, parents’ names, addresses and partial passport numbers, which are not in the public domain. 

Mr Young said that only a “very limited amount” of information was discernible from the exposed data, as passwords were all in a “secure hashed form” and other responses were only partially visible. “None of the data is deemed sensitive or special category under current legislation. We have taken legal advice to verify our position,” he said. 

Advanced’s products cover a variety of sectors including healthcare and legal software, and it counts the National Health Service and British Gas as customers. It was valued at £2bn when its private equity owner Vista Equity Partners sold a 50 per cent stake to BC Partners last year.

Advanced’s website claims that 86 per cent of legal firms are concerned about data security. “Law firms can be the target for criminals who want access to the sensitive information and funds they hold. Sourcing systems that offer optimum levels of protection is key,” it said on the legal forms section of its website.

The company has not reported the data incident to the Information Commissioner’s Office, according to a person with direct knowledge of the situation.

Advanced acquired Laserform, a 30-year-old company specialising in legal documentation, in 2006 for £4.8m and last year added rival Oyez Professional Services to bulk up in the legal software industry.

It is the latest in a series of data-control issues and cyber attacks in the telecoms and technology sector with Virgin Media, TalkTalk, Three and Sage Group all hit in recent years.


Get real time updates directly on you device, subscribe now.