Unprotected database exposed over 250K legal documents labeled as ‘Not designated for publication’

• The leaky database contained 257,287 legal documents with some documents labeled as ‘not designated for publication.
• Even though the owner of the database remains unclear, the open database was secured after almost 2 weeks.

What is the issue - A security researcher named Bob Diachenko uncovered an ElasticSearch instance that was publicly accessible without any password protection.

Why it matters - The leaky database contained 257,287 legal documents with some documents labeled as ‘not designated for publication’. The documents are related to US court cases, usually exchanged between lawyers and the court.

“Cases are from 2002-2010 era, from all over the [US] States. Most docs are public, but about 30%-40% of it is 'unpublished opinion' or 'not designated for publication,” Diachenko told ZDNet.

The big picture

The security researcher examined the database and found out that the database belongs to Lex Machina, an IP litigation research company and a division of LexisNexis. Diachenko notified the company about the leaky database but received no response.

Further investigation on the database led to suspicion that the database is managed by a legal services company LexSphere that provides legal outsourcing services to LexVisio law firm.

Even though the owner of the database remains unclear, the open database was secured after almost 2 weeks.

“Danger of having exposed Elasticsearch or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges,” Diachenko said in a blog.