A security lapse saw Proskauer Rose, an international law firm headquartered in New York City, expose sensitive client data for more than six months, TechCrunch has learned.
A person with knowledge of the incident told TechCrunch that data from Proskauer’s merger and acquisitions business was left on an unsecured Microsoft Azure cloud server.
TechCrunch obtained a portion copy of the exposed dataset, which included approximately 184,000 files total, the person told us. These files were accessible from the web browser by anyone who knew where to look, and contained private and privileged financial and legal documents, contracts, non-disclosure agreements, financial deals, and files relating to high-profile acquisitions.
Details of the exposed cloud server were captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage and files. The files are understood to have been left public for at least six months.
Proskauer resolved the spill about two weeks ago, but has not yet notified its clients, whose website lists Major League Baseball and Morgan Stanley as clients.
When reached for comment, Proskauer declined to answer questions related to the quantity and nature of the exposed data but did not dispute the claims. It’s also not clear how the data became exposed, though it’s not uncommon for server misconfigurations to be caused by human error. In an email to TechCrunch, Proskauer, which incorrectly referred to the data exposure as a “cyber attack” since there is no evidence of malice, would not say whether the law firm has any evidence of data exfiltration.
Proskauer said it recently learned that “an outside vendor that we retained to create an information portal on a third-party cloud-based storage platform had not properly secured it,” according to a statement provided by spokesperson Joanne Southern.
Proskauer declined to name the vendor.
“Our IT security team immediately took steps to reconfigure the site and secure its data,” Southern said. “This is an ongoing investigation and we have been urgently working with in-house and third-party cybersecurity experts to confirm our current understanding of the facts. We take the protection of our data incredibly seriously and take aggressive steps to monitor and protect against any unauthorized access or use of that data.”
Southern said the law firm will “communicate promptly with all affected parties as soon as we gain sufficient information to responsibly do so.”