Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Illinois Court Exposes More Than 323,000 Sensitive Records

Unsecured Server Exposed Records Containing Sensitive Personal Data and Case Notes From Cook County Court

Unsecured Server Exposed Records Containing Sensitive Personal Data and Case Notes From Cook County Court

On September 26, 2020, researchers discovered an unsecured Elasticsearch server exposing more than 323,277 Cook County court related records containing highly sensitive personal data. Cook County, Illinois, is the second most populous county in the U.S., with a population in excess of 5 million people.

The records contained PII such as full names, home addresses, email addresses, and court case numbers, WebsitePlanet together with researcher Jeremiah Fowler, said.  More worryingly, they also contained notes on the status of both the case and the individuals concerned. The case type seems to have been categorized by indicators such as IMM (probably ‘immigration’), FAM (probably ‘family’), and CRI (probably ‘criminal’). The data was in plaintext, and internet access had no restrictions. The content could be accessed, downloaded, altered or deleted by anyone with an internet connection.

On the day of discovery, a Saturday, WebsitePlanet informed the Cook County CTO about the exposure. Early the following Monday, the database was secured and public access restricted. It was exposed for at least the best part of two days, but there is no indication on how long the database may have been available online prior to WebsitePlanet’s discovery.

The researchers received no response from the Cook County CTO, so there is no guarantee that the database actually belonged to Cook County. However, the timing of disclosure and remediation makes it highly likely. Similarly, with no response from Cook County, there is no way to determine whether the database had been accessed by people with criminal intent. However, it is worth assuming that if researchers can discover a misconfigured database, so can hackers. Criminals who may have accessed the database would have found a treasure trove of actionable information.

WebsitePlanet postulates that the database may have belonged to a specialist Cook County department of case workers working with people who needed additional help. Almost by definition, everybody included within the database could be classified as ‘vulnerable’ and a prime target for scammers. The information contained would provide numerous approaches to such attacks.

Attacks could range from identity theft to blackmail. The latter would have been facilitated by the detailed case notes in the records. One, for example, reads, “I-30 (petition for Alien Relative) is approved through child she needs to marry in order to proceed with waiver Husband. However, Husband was accused of sexual assault against a minor. Need to wait to see Dispo of that charge to ensure eligibility – we will wait.” This was coupled with the name of the individual concerned and the case number in plaintext.

The family court records ‒ most likely those delimited with the FAM epithet ‒ are similarly open to abuse by blackmail. The family court deals with matters including divorce, child custody, visitation, domestic violence, protecting minors from abuse or neglect, and crimes by minors. Sensitive data in the wrong hands could be used for extortion by threatening to release the data to other family members, employers or just generally.

Advertisement. Scroll to continue reading.

It is worth noting that many of the details exposed by this database are far more explicit than the details published in the public court proceedings, where personal details of vulnerable people are left vague or excluded.

Interestingly, WebsitePlanet contacted the Cook County CTO via his Major Scale Technology Management ‒ a firm that specializes in management consulting on IT strategy ‒ email address. According to the researchers, this CTO had founded Major Scale Technology Management several years earlier, and it had contracts with Cook County. The speed with which the database was subsequently secured led Website Planet to comment, “We can only assume that our data exposure notice made it to the right person who was responsible for this dataset. Although the data was clearly internal court records it is still not entirely clear what role Major Scale plays currently in Cook County’s IT infrastructure or the separation between the CTO and Major Scale.”

In reality, these are only assumptions. WebsitePlanet has never received confirmation of its database exposure disclosure, and has found no record of Cook County publicly confirming a possible breach. Nor is it known whether the County contacted the individuals contained in the database to warn them their personal data may have been exposed.

Related: Attackers Turn Elasticsearch Databases Into DDoS Bots

Related: Data on 1.2 Billion Users Found in Exposed Elasticsearch Server

Related: Elasticsearch Servers Latest Target of Ransom Attacks

Related: Elasticsearch Instances Expose Data of 82 Million U.S. Users

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...