I played a minor role in helping to get some peoples’ very private information off of the internet. Small contributions can make a difference. Help when you can.
PostMortem: Data Leak Brandt Kettwick Defense
Type of leak
Azure Blob with the multi-year archive of a law defense firm. Files were readable and indexable for anyone. The leak contained data like search warrants, master case files from law enforcement, interviews with victim, accused and victim of sexual assault cases and much, much more. In total there were several tenthousand documents.
URL of the leak was: brandtdefense.blob.core.window…
Threats from the leak
I see the following threats:Confidentiality people seeking legal counsel help is compromised Privacy of mutliple U.S. citizens compromisedVery likely violation of several laws and ethic guidelines
TimelineApril 2025: Leak is dicovered by a security researcher.June 4th 2025: Significance of the leak identified, multiple attempts by the security researcher to close the leak (Email, Web Contact), no reply during the complete incidentJune 12th 2025: A second security reseracher attempts to contact the law defense firm, no reply till the end. Calls to the designated phone number were hung up by the law firm.June 19th 2025: FBI and Hopkins (Minnesota police department) are informed.June 21st 2025: I join the effort. Email directed to the owner of the comany and one identified affected person. Not reply during the complete incident.June 25th 2025: Second security researcher reaches out to the Minnesota Bureau of Criminal Apprehension (BCA). They reply nearly immediately that they will investigate,June 29th 2025: I make a infosec.exchange/@masek/114767… and ask for help to get the attention of the law firm. The second researcher reaches out again to the BCA.July 2nd 2025: Leak is closed. BCA answers that they were unable to get the attention of the law form via phone and email, so they send officers on site to convey the seriousness of the leak. They also say that the law firm had asked their IT department and it denied any possibility of a leak.
Analysis
This is not a complete failure analysis. These are only my own observations. Looking
Failures:The chosen IT department was unable to adhere even to the most basic levels of data security.Even when asked by the customer, the IT department denied the possibility of a leak.The law firm has no proper process to deal with external IT security alerts.Lack of understanding concerning the responsibility on the side of the law firrm. Outsourcing only delegates the work but not the legal obligations.
Impact
It can be safely assumed (due to duration and easiness to discover) that all data on those server is now in the hands of inttelligence services (e.g. Russia, China) and cyber criminals with little care about the privacy of US citizens. Especially for people looking for material to blackmail people, this leak was a gold mine.
Acknowledgments
Thanks to @JayeLTee and @PogoWasRight@infosec.exchange for doing most of the work. A description of the incident from the viewpoint of Dissent can be found databreaches.net/2025/07/04/no…
Furthermore I wish to praise the work of Minnesota Bureau of Criminal Apprehension.
Also thanks to @TonyYarusso and @bkoehn@hachyderm.io for assisting us in getting the necessary attention.
Closing Remarks
It is clearly necessary that we have at least one public contact in each country that investigates and closes data leaks reported to them. The effort to close even the worst leaks is unbearable and currently rests on the shoulders of security researchers and their supporting environment.
Time spent on this leak from my side (without the time for this report) is 4+ hours. My best estimate on the effort of all people involved closing this leak would be in the hundreds of hours. The amount of time spent by the person responsible for the leaking system on security issues: None.
infosec.exchange/@masek/114800…
Martin Seeger (@masek@infosec.exchange)
Update 2: PostMortem published here: https://infosec.exchange/@masek/114800897587580803 Update: The leak is closed since July 2nd. Will write a postmortem on Saturday and add a link.Infosec Exchange
like this
Bo Flecks
in reply to Joe Fedewa • • •