Unsecured Server Exposed Records Containing Sensitive Personal Data and Case Notes From Cook County Court
On September 26, 2020, researchers discovered an unsecured Elasticsearch server exposing more than 323,277 Cook County court related records containing highly sensitive personal data. Cook County, Illinois, is the second most populous county in the U.S., with a population in excess of 5 million people.
The records contained PII such as full names, home addresses, email addresses, and court case numbers, WebsitePlanet together with researcher Jeremiah Fowler, said. More worryingly, they also contained notes on the status of both the case and the individuals concerned. The case type seems to have been categorized by indicators such as IMM (probably ‘immigration’), FAM (probably ‘family’), and CRI (probably ‘criminal’). The data was in plaintext, and internet access had no restrictions. The content could be accessed, downloaded, altered or deleted by anyone with an internet connection.
On the day of discovery, a Saturday, WebsitePlanet informed the Cook County CTO about the exposure. Early the following Monday, the database was secured and public access restricted. It was exposed for at least the best part of two days, but there is no indication on how long the database may have been available online prior to WebsitePlanet’s discovery.
The researchers received no response from the Cook County CTO, so there is no guarantee that the database actually belonged to Cook County. However, the timing of disclosure and remediation makes it highly likely. Similarly, with no response from Cook County, there is no way to determine whether the database had been accessed by people with criminal intent. However, it is worth assuming that if researchers can discover a misconfigured database, so can hackers. Criminals who may have accessed the database would have found a treasure trove of actionable information.
WebsitePlanet postulates that the database may have belonged to a specialist Cook County department of case workers working with people who needed additional help. Almost by definition, everybody included within the database could be classified as ‘vulnerable’ and a prime target for scammers. The information contained would provide numerous approaches to such attacks.
Attacks could range from identity theft to blackmail. The latter would have been facilitated by the detailed case notes in the records. One, for example, reads, “I-30 (petition for Alien Relative) is approved through child she needs to marry in order to proceed with waiver Husband. However, Husband was accused of sexual assault against a minor. Need to wait to see Dispo of that charge to ensure eligibility – we will wait.” This was coupled with the name of the individual concerned and the case number in plaintext.
The family court records ‒ most likely those delimited with the FAM epithet ‒ are similarly open to abuse by blackmail. The family court deals with matters including divorce, child custody, visitation, domestic violence, protecting minors from abuse or neglect, and crimes by minors. Sensitive data in the wrong hands could be used for extortion by threatening to release the data to other family members, employers or just generally.
It is worth noting that many of the details exposed by this database are far more explicit than the details published in the public court proceedings, where personal details of vulnerable people are left vague or excluded.
Interestingly, WebsitePlanet contacted the Cook County CTO via his Major Scale Technology Management ‒ a firm that specializes in management consulting on IT strategy ‒ email address. According to the researchers, this CTO had founded Major Scale Technology Management several years earlier, and it had contracts with Cook County. The speed with which the database was subsequently secured led Website Planet to comment, “We can only assume that our data exposure notice made it to the right person who was responsible for this dataset. Although the data was clearly internal court records it is still not entirely clear what role Major Scale plays currently in Cook County’s IT infrastructure or the separation between the CTO and Major Scale.”
In reality, these are only assumptions. WebsitePlanet has never received confirmation of its database exposure disclosure, and has found no record of Cook County publicly confirming a possible breach. Nor is it known whether the County contacted the individuals contained in the database to warn them their personal data may have been exposed.
Related: Attackers Turn Elasticsearch Databases Into DDoS Bots
Related: Data on 1.2 Billion Users Found in Exposed Elasticsearch Server
Related: Elasticsearch Servers Latest Target of Ransom Attacks
Related: Elasticsearch Instances Expose Data of 82 Million U.S. Users