The WebsitePlanet research team in cooperation with Security Researcher Jeremiah Fowler discovered a non-password protected database that contained over 323,277 court related records. Upon further investigation, the researchers discovered that the records were all related to Cook County, Ill., the second most populous county in the United States after Los Angeles County.
According to the research team, nearly every record, which dated back to 2012 and all the way up to 2020, contained some form of personally identifiable information (PII) such as full names, home addresses, email addresses, case numbers, and private details about the cases. The database appeared to be be an internal record management system that contained detailed notes about case status or about issues with the cases or individuals.
The database contained the names, addresses and extremely detailed case notes, exposing the plaintiffs and defendants and their cases. The records were categorized by abbreviated names and I can assume that they were as follows: IMM (Immigration); FAM (Family); and CRI (Criminal). These records could have possibly been edited, altered, or even deleted due to the misconfiguration and lack of administrative credentials, say the researchers.
Image courtesy of WebsitePlanet
The researchers immediately contacted the Cook County CTO. The database was secured days later. It is unclear, however, if the affected individuals were notified about the data exposure or if they were were informed about the risk of how this information could be used to potentially target them. The researchers say, "We could not find any reference to a public notice of a data breach of court records. No one replied to our responsible disclosure notice, phone voice message, or a follow up email, so we were unable to know exactly what these records were used for or the full extent of the exposure."
The data, if accessed by malicious actors, could be highly valuable, as the database was not password-protected and lacked basic security protections, the research team notes. Individuals could be targeted for their personal data, and potentially blackmailed, harassed and threatened to have their records exposed.
For the full report and findings, please visit https://www.websiteplanet.com/blog/court-records-leak-report/