Data Breach: Turkish legal advising company exposed over 15,000 clients

Data Breach: WizCase team uncovered a massive data leak containing private information about Turkish Citizens through a misconfigured Amazon S3 bucket.

The server contained 55,000 court papers regarding over 15,000 legal cases, which affected hundreds of thousands of people.

What’s Going On?

Our online security team has uncovered a massive data breach originating from a misconfigured Amazon Bucket, which was operated by a Turkish Legal advising company, INOVA YÖNETIM & AKTÜERYAL DANIŞMANLIK. Inova is an actuarial consultancy company, which means they compile statistical analysis and calculate insurance risks and premiums. Inova has been operating since 2012 and has handled thousands of cases since then.

While Amazon offers the necessary tools to secure their services, Inova has not implemented these measures properly.

• Data leak discovered: 30.09.2020
• Inova contacted: 01.10.2020
• Amazon contacted: 06.10.2020
• Turkish CERT contacted: 05.10.2020
• Response received: –
• Server secured: 12.10.2020

After further investigation, we have concluded that these documents belonged to people injured or deceased in traffic accidents. All court cases had several types of documents containing the following info regarding the victim:

• PII’s such as:
  • Name and Surname
  • National ID number
  • Gender
  • Marital Status
  • Birthdate
• Details about the insurance such as:
  • Insurance Company Details/Name
  • Dossier No
  • Policy Issuance date
  • Victim’s past and future expected salary
• Accident details such as:
  • Accident’s/Death’s date
  • Report Date
  • Fault rate

Document included in every court case, showing personal information about the victim

Document showing victims salary before the accident as well as expected future salary prior to the accident

Some of the court cases had more information about the victim or involved other people. This included parties such as victims beneficiaries, other parties involved in the accident, police officers, prosecutors.

While investigating, we have also stumbled upon the following kinds of documents:

• Documents sent to insurance companies containing:
  • Name and surname of involved parties
  • Vehicle license plates
  • Date of accident
  • Severity of the injuries
• Incident reports taken at the accident site by the police officers containing:
  • Detailed information about how the accident took place
  • Vehicles involved and damages caused to them
  • Both parties insurance information
  • Drivers names, surnames, national ID’s, birthdates, phone numbers, driver’s license information
  • A summary of the accident in handwriting
  • Sketch of the accident
  • Information about the police officers who held the report
• Photocopies of drivers licenses
• Photocopies of vehicle licenses
• Photocopies of alcohol breathalyzer tests
• Police complaints post-accident containing:
  • Name surname of the complainant
  • Mothers and fathers names
  • Birthplace and birthplace
  • Residency address
  • Profession
  • Phone number
  • Education level
  • Marital Status
  • Gender
  • Signature of the complainant
• Testimony of the other party containing:
  • Name surname
  • National identifier
  • Mother and father’s name
  • Birthdate and birthplace
  • Residency address
  • Profession
  • Workplace address
  • Email
  • Phone number
  • Education level
  • Marital status
  • Gender
  • Signature
• Judicial committee reports containing:
  • Name, surname
  • Birthdate
  • National ID
  • Birthdate
  • Phone number
  • Medical history
  • Reports from multiple hospitals about the victim’s injuries and the condition
  • Symptoms
  • Administered drugs
  • Epicrisis report
  • Decisions like how long the victim will need care, how long they can’t work for
  • Doctors name
  • Hospital dossier no
• Advance capital value reports containing how much money is owed by the insurance to the victim,
• Documents sent to court in objection to court experts’ calculation of how much insurance companies owe each of the victims
• Legal papers including
  • Name surname
  • Address
  • National identifier
  • Bank account details
  • Power of attorney information
• Emails between lawyers and the clients

Police report containing accident details, as well as involved parties phone numbers, driver’s license information, name-surname, and national identifier

Sketch of the accident from the police report

Document sent to the insurance company by the victim’s lawyer

Post-trauma health report about the accident

How Did the Data Breach Happen?

This breach originated from a misconfigured Amazon S3 bucket, which contained 55,000 crucial court documents Inova was involved with. These documents’ total size was more than 20GB, and it was accessible by anyone who found the S3 bucket. They required no authorization to access, meaning anyone could access this bucket and download massive amounts of personally identifying information about Inova’s clients.

Whose Data was Exposed and What Are the Consequences

Leaked data contained information about more than 15,000 clients of Inova, people who had accidents and hired Inova between the start of 2018 and end of summer 2020. If you had a traffic accident in the last 5 years, odds are Inova was involved with your court case at some point. Although your data may not have been found by anyone else, in case any ill-intentioned hacker discovered it, here are some of the risks people exposed could face:

Phishing Scams and Malware

People whose data might have been exposed need to be extra careful since they can run into scammers masquerading as law enforcement, prosecutors, or lawyers. Scammers like this are pretty common in Turkey. The leaked information also contained the amount of relief funds victims and their families received, so scammers could target people who recently received large amounts of money from the court.

Since these documents also leaked information about the court case that only lawyers, insurance companies, and other officials should have access to, like dossier number, accident details, client details, as well as phone numbers; always be sceptical about people calling you about your past court cases and asking for money or information.

Identity theft

With large amounts of identity information being leaked about the clients in this breach, criminals can use it for identity theft. With details like a client’s beneficiaries, national ID numbers of them and their beneficiaries, and phone numbers being leaked, some of the more elaborate identity theft cases could be executed. With some social engineering, bad actors or criminals could contact a GSM operator, masquerading as the victim, and verify all kinds of verification questions GSM operators would ask to clone a SIM card.

After having access to victims’ phone calls and SMS messages, bad actors could then try to do the same operation with clients’ insurance and bank.

Corporate Espionage

Some competitive corporations will be able to contact individuals whose court information was leaked and try to convince them to hire their company instead. This is made easier since competitors will have access information from Inova’s clients.

Blackmails and Threats

Leaked documents include information such as police officers who have kept the reports; documents sent to prosecutors from police officers; names and surnames of the judicial committee members. Personal information like this could cause these individuals to be harassed or blackmailed by people involved in such cases since their identities have been leaked.

Bribing

With the amount of sensitive information in these papers, people involved in one of these cases could attempt to find and track other people involved in the case. This will lead to a rise of attempts to bribe officers to make decisions favoring them, bribe them to suppress them, or change their statements.

What Can I Do to Protect My Data?

With cases such as these, it is unusually difficult to protect your own data because it is often in the hands of the company you are working with. Make sure to send only the necessary information they need and ask them what kind of security measures they are taking to keep your private data private. If you are a European citizen, contact the company that needs your private information and ask them what kind of measures they implemented to comply with GDPR laws.

In this particular case, Turkey has its own set of laws against the improper handling of personal data, named KVKK. We highly recommend people to reach out to Inova and make sure the leak is properly handled. In any case, never trust anyone asking for personal data over the phone, if you receive calls related to your accident, please inform your contact at Inova and make sure the request comes from them.

How and Why We Discovered the Breach

At Wizcase, we are constantly scanning random parts of the internet to find data breaches and to get the data secured before criminals can find and abuse it.

As this bucket was left public, without any configuration to protect the files, it could have been discovered and accessed by anyone with the URL. We’ve seen that this bucket also contained technical logs from the company infrastructure that was not accessible to us without proper authorization. Even though authorization mechanisms were there, they were not in place to adequately protect the important files that were found inside the bucket.

Who is Wizcase?

WizCase is one of the biggest international online security websites, with content translated to 30 different languages. We provide tools, tricks, and best practices for online safety and security. This includes detailed VPN reviews and tutorials.

Our online web security team of White Hat hackers have uncovered some of the most significant data breaches, including unsecured webcams and dating site scandals.

Not only do we release our reports to the public, but we disclose them to the company as well, allowing them to secure their serves and creating a more secure environment for everyone.

Author the author: Chase Williams

Original post: https://www.wizcase.com/blog/inova-breach-research/

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Data Breach)

[adrotate banner=”5″]

[adrotate banner=”13″]