Over 320,000 court records that appear to come from the second most populous county in the US have been discovered sitting on a misconfigured online database.
Security researcher Jeremiah Fowler and a team from Website Planet claimed that the data was all from Cook County, Illinois, which is home to America’s third-largest city, Chicago.
“There have been several high-profile data exposures of private companies that affected Cook County residents in the past few years including a large hospital data breach. However, this appears to be the largest breach of Cook County internal records to date,” noted Fowler.
“We hope our discovery and notification helped protect and secure this sensitive data before it could be stolen, encrypted with ransomware, or wiped out by an automated bot script. Companies, organizations and even governments must do more to protect the data they collect and store.”
He said that the highly sensitive data appears to have come from an internal records management system, with virtually all exposed records containing some form of personal info including: full names, home addresses, email addresses, case numbers and private case notes.
However, in a twist to the story, a Cook County Bureau of Technology spokesperson contacted Infosecurity and other publications, as well as Fowler, to explain that the server in question does not actually belong to the Cook County government.
Dating back nine years, the cases were reportedly marked up signify they relate to either immigration, family or criminal court proceedings.
Immigration case notes are particularly lucrative for fraudsters as they can help to add legitimacy to social engineering scams.
“In this exposure there was a treasure trove of contacts and data that could have potentially been exploited for a wide range of nefarious purposes,” argued Fowler. “Immigrants are in a vulnerable position and these are real threats against people who can rarely protect themselves or fight back for their rights due to lack of resources, including financial resources.”
Family court records are also particularly sensitive as they can include details of children involved in domestic violence, custody and other cases, he added.
In many cases, the victims could have been exposed not only to phishing and possible identity theft attempts but also blackmail.
The exposed database was discovered on a Saturday and secured promptly two days later on the Monday. However, there’s no clue as to who it belongs to and how long it was left online, available to access by “anyone with an internet connection.”