Over 320,000 court records belonging to the second most populous county in the US have been discovered sitting on a misconfigured online database.
Security researcher Jeremiah Fowler and a team from Website Planet soon found that the data was all from Cook County, Illinois, which is home to America’s third-largest city, Chicago.
“There have been several high -profile data exposures of private companies that affected Cook County residents in the past few years including a large hospital data breach. However, this appears to be the largest breach of Cook County internal records to date,” noted Fowler.
“We hope our discovery and notification helped protect and secure this sensitive data before it could be stolen, encrypted with ransomware, or wiped out by an automated bot script. Companies, organizations and even governments must do more to protect the data they collect and store.”
He said that the highly sensitive data appears to have come from an internal records management system, with virtually all exposed records containing some form of personal info including: full names, home addresses, email addresses, case numbers and private case notes.
Dating back nine years, the cases were marked up signify they relate to either immigration, family or criminal court proceedings.
Immigration case notes are particularly lucrative for fraudsters as it they can help to add legitimacy to social engineering scams.
“In this exposure there was a treasure trove of contacts and data that could have potentially been exploited for a wide range of nefarious purposes,” argued Fowler. “Immigrants are in a vulnerable position and these are real threats against people who can rarely protect themselves or fight back for their rights due to lack of resources, including financial resources.”
Family court records are also particularly sensitive as they can include details of children involved in domestic violence, custody and other cases, he added.
In many cases, the victims were not only exposed to phishing and possible identity theft attempts but also blackmail.
The exposed database was discovered on a Saturday and secured promptly two days later on the Monday. However, there’s no clue as to how long it was left online, available to access by “anyone with an internet connection.”