Full Report
In a special edition of “No need to hack when it’s leaking,” DataBreaches reports on a software vendor that, despite multiple attempts by multiple parties, continues to expose confidential and sealed court records. Overview As a matter of policy, DataBreaches does not publish unredacted stolen or leaked data if it would expose personally identifiable or... Source
Analysis Summary
# Incident Report: Prolonged Exposure of Confidential Court Records by Software Vendor
## Executive Summary
A software vendor, Software Unlimited Corp, was found to be exposing large volumes of confidential and sealed court records belonging to its clients due to misconfigured storage shares hosted on Google Cloud. Despite being notified by multiple researchers, Mandiant, and even an FBI agent over several months starting in July 2025, the vendor failed to secure the exposed data, leading to a prolonged public data exposure incident.
## Incident Details
- Discovery Date: July 16, 2025 (First report)
- Incident Date: Began prior to July 16, 2025, and was ongoing as of October 13, 2025.
- Affected Organization: Software Unlimited Corp
- Sector: Software/Legal Technology (Provides criminal and civil case management software for prosecutors)
- Geography: Tupelo, Mississippi (Vendor Location); Data originated from various state and county courts across the US (Multiple states involved).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to July 16, 2025
- **Vector:** Misconfiguration of cloud storage shares (Implied, as data was found exposed on the internet via IP addresses hosted by Google).
- **Details:** Researchers discovered exposed storage shares containing sensitive court data. The initial share held over 100 GB of files from a single county/state.
### Lateral Movement
- **Details:** Not directly applicable in a traditional sense, as the incident involves a persistent, public data exposure rather than active compromise of internal systems. However, the exposure expanded: on July 22, 2025, a second IP address hosted an exposed share containing over 770 GB of files, including records from a second state.
### Data Exfiltration/Impact
- **Details:** Confidential and sealed court records, including court filings and juvenile case records, were continuously exposed to the public internet. This exposure persisted for months, despite multiple intervention attempts.
### Detection & Response
- **July 16, 2025:** First researcher contacts DataBreaches.
- **July 17 – 18, 2025:** A second researcher alerts the relevant state/county authorities with no reply.
- **July 22, 2025:** A second, larger exposed share is discovered.
- **July 28, 2025:** DataBreaches contacts Mandiant (Google informed DataBreaches that they hosted the shares) to request they notify their client (Software Unlimited Corp). Mandiant confirmed notification.
- **Weeks later (Post-July 28):** Shares remained exposed; DataBreaches contacts Mandiant again, who reportedly alerted the client again.
- **August 12, 2025:** DataBreaches attempts to notify a criminal defense attorney whose client's sealed records were exposed, but received no response.
- **October 13, 2025:** Report published, indicating the exposures were ongoing.
## Attack Methodology
This incident appears to be the result of an unintentional configuration weakness rather than a targeted external breach, fitting the "No need to hack when it’s leaking" pattern.
- **Initial Access:** Misconfiguration of cloud-hosted storage shares (Google Cloud).
- **Persistence:** Data remained accessible via the misconfigured public IP addresses for months.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Not applicable; the issue was visibility, not evasion of security controls.
- **Credential Access:** Not applicable.
- **Discovery:** External researchers actively scanned and identified the exposed shares.
- **Lateral Movement:** Not applicable.
- **Collection:** Data was passively available for collection by anyone who found the IP addresses.
- **Exfiltration:** Data was accessible for download/copying.
- **Impact:** Unauthorized viewing and potential exfiltration of highly sensitive/sealed legal records.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Confidential and sealed court records, including juvenile court filings, from multiple states and counties. Volume exceeded 870 GB across the two identified shares.
- **Operational:** Unspecified impact on the operations of the affected counties/states relying on Software Unlimited Corp's services. Disruption stems from data exposure rather than system downtime.
- **Reputational:** Significant reputational damage to **Software Unlimited Corp** due to months of non-remediation despite warnings from security researchers and other entities.
## Indicators of Compromise
*Note: IPs are defanged as specific IPs were not provided, only hosting context.*
- **Network indicators:** Access observed via storage shares hosted on IP addresses associated with Google Cloud infrastructure serving data for the vendor.
- **File indicators:** Files consisted of state-level and county-level court records, including sealed and confidential case files.
- **Behavioral indicators:** Persistent availability of unauthenticated access to buckets/shares containing sensitive case management data.
## Response Actions
The primary response actions involved external notification attempts, as the responsible party (Software Unlimited Corp) was unresponsive:
- **Containment measures:** None explicitly taken by the vendor until the reporting date. DataBreaches avoided publishing full details to prevent wider exposure.
- **Eradication steps:** Not reported as completed by the time of the article.
- **Recovery actions:** Not reported.
## Lessons Learned
- **Vendor Responsibility:** Software vendors handling sensitive public and sealed government data must implement rigorous security standards for cloud configuration and access control.
- **Notification Effectiveness:** Direct vendor notification (if possible) combined with escalating through third parties (like the cloud host via Mandiant/Google) is a necessary tactic when primary contacts fail.
- **Government/Agency Response:** State and county agencies are not always swift or responsive to initial security alerts regarding data exposure.
## Recommendations
- **Stronger Cloud Security Posture Management (CSPM):** Software Unlimited Corp must immediately secure all cloud storage endpoints and implement continuous monitoring to prevent public access to non-public data.
- **Incident Response Protocol:** Establish clear, documented, and rapid internal procedures for handling external security vulnerability reports, especially those pertaining to client data.
- **Data Segregation:** Ensure strict logical and physical separation between public record data and confidential/sealed case data within storage infrastructure.