Data Breach: Turkish legal advising company exposed over 15,000 clients

Data Breach: WizCase team uncovered a massive data leak containing private information about Turkish Citizens through a misconfigured Amazon S3 bucket.

The server contained 55,000 court papers regarding over 15,000 legal cases, which affected hundreds of thousands of people.

What’s Going On?

Our online security team has uncovered a massive data breach originating from a misconfigured Amazon Bucket, which was operated by a Turkish Legal advising company, INOVA YÖNETIM & AKTÜERYAL DANIŞMANLIK. Inova is an actuarial consultancy company, which means they compile statistical analysis and calculate insurance risks and premiums. Inova has been operating since 2012 and has handled thousands of cases since then.

While Amazon offers the necessary tools to secure their services, Inova has not implemented these measures properly.

Data leak discovered: 30.09.2020Inova contacted: 01.10.2020Amazon contacted: 06.10.2020Turkish CERT contacted: 05.10.2020Response received: –Server secured: 12.10.2020

After further investigation, we have concluded that these documents belonged to people injured or deceased in traffic accidents. All court cases had several types of documents containing the following info regarding the victim:

PII’s such as:Name and SurnameNational ID numberGenderMarital StatusBirthdateDetails about the insurance such as:Insurance Company Details/NameDossier NoPolicy Issuance dateVictim’s past and future expected salaryAccident details such as:Accident’s/Death’s dateReport DateFault rate

Document included in every court case, showing personal information about the victim

Document showing victims salary before the accident as well as expected future salary prior to the accident

Some of the court cases had more information about the victim or involved other people. This included parties such as victims beneficiaries, other parties involved in the accident, police officers, prosecutors.

While investigating, we have also stumbled upon the following kinds of documents:

Documents sent to insurance companies containing:Name and surname of involved partiesVehicle license platesDate of accidentSeverity of the injuriesIncident reports taken at the accident site by the police officers containing:Detailed information about how the accident took placeVehicles involved and damages caused to themBoth parties insurance informationDrivers names, surnames, national ID’s, birthdates, phone numbers, driver’s license informationA summary of the accident in handwritingSketch of the accidentInformation about the police officers who held the reportPhotocopies of drivers licensesPhotocopies of vehicle licensesPhotocopies of alcohol breathalyzer testsPolice complaints post-accident containing:Name surname of the complainantMothers and fathers namesBirthplace and birthplaceResidency addressProfessionPhone numberEducation levelMarital StatusGenderSignature of the complainantTestimony of the other party containing:Name surnameNational identifierMother and father’s nameBirthdate and birthplaceResidency addressProfessionWorkplace addressEmailPhone numberEducation levelMarital statusGenderSignatureJudicial committee reports containing:Name, surnameBirthdateNational IDBirthdatePhone numberMedical historyReports from multiple hospitals about the victim’s injuries and the conditionSymptomsAdministered drugsEpicrisis reportDecisions like how long the victim will need care, how long they can’t work forDoctors nameHospital dossier noAdvance capital value reports containing how much money is owed by the insurance to the victim,Documents sent to court in objection to court experts’ calculation of how much insurance companies owe each of the victimsLegal papers includingName surnameAddressNational identifierBank account detailsPower of attorney informationEmails between lawyers and the clients

Police report containing accident details, as well as involved parties phone numbers, driver’s license information, name-surname, and national identifier

Sketch of the accident from the police report

Document sent to the insurance company by the victim’s lawyer

Post-trauma health report about the accident

How Did the Data Breach Happen?

This breach originated from a misconfigured Amazon S3 bucket, which contained 55,000 crucial court documents Inova was involved with. These documents’ total size was more than 20GB, and it was accessible by anyone who found the S3 bucket. They required no authorization to access, meaning anyone could access this bucket and download massive amounts of personally identifying information about Inova’s clients.

Whose Data was Exposed and What Are the Consequences

Leaked data contained information about more than 15,000 clients of Inova, people who had accidents and hired Inova between the start of 2018 and end of summer 2020. If you had a traffic accident in the last 5 years, odds are Inova was involved with your court case at some point. Although your data may not have been found by anyone else, in case any ill-intentioned hacker discovered it, here are some of the risks people exposed could face:

Phishing Scams and Malware

People whose data might have been exposed need to be extra careful since they can run into scammers masquerading as law enforcement, prosecutors, or lawyers. Scammers like this are pretty common in Turkey. The leaked information also contained the amount of relief funds victims and their families received, so scammers could target people who recently received large amounts of money from the court.

Since these documents also leaked information about the court case that only lawyers, insurance companies, and other officials should have access to, like dossier number, accident details, client details, as well as phone numbers; always be sceptical about people calling you about your past court cases and asking for money or information.

Identity theft

With large amounts of identity information being leaked about the clients in this breach, criminals can use it for identity theft. With details like a client’s beneficiaries, national ID numbers of them and their beneficiaries, and phone numbers being leaked, some of the more elaborate identity theft cases could be executed. With some social engineering, bad actors or criminals could contact a GSM operator, masquerading as the victim, and verify all kinds of verification questions GSM operators would ask to clone a SIM card.

After having access to victims’ phone calls and SMS messages, bad actors could then try to do the same operation with clients’ insurance and bank.


Read the full article at