Sensitive legal documents owned by a Santa Ana, Calif.-based law firm — which may reveal negligence on the part of prison staff in a Jan. 2015 suicide — were leaked online due to a misconfigured remote synchronization protocol installed on the firm’s network, MacKeeper’s Chris Vickery told CyberScoop.
“Client files are the crown jewels of a law firm and supposed to be kept under lock and key, which makes these internet-accessible discoveries even more surprising,” Vickery wrote in a blogpost where he first shared his findings.
Rsync was designed to copy internal client records and back them up to an independent storage device connected to the public internet with no username or password protection. Vickery found another 10 law firms with similar network configurations, all causing files to indiscriminately leak online.
“There are several reasons an IT staffer would expose a network like this,” said Vickery, “There are the possibilities of laziness, overzealous convenience, a lack of understanding, or possibly just a reckless disregard for risk. In this specific instance, I’m leaning toward a lack of understanding being the root cause, although the facts are still very hazy.”
One of the files Vickery found via the city’s law firm is surveillance footage that casts doubt about an investigation into the suicide of Daniel Oppenheimer, who hanged himself in his jail cell after being arrested on domestic violence charges. Oppenheimer’s family has reportedly filed a wrongful death lawsuit against the city.
The video calls the Orange County District Attorney’s office’s findings into question that the city bears no responsibility for Oppenheimer’s death, explained Vickery.
“I had every intention of simply writing a small post about the situation and deleting the whole 500+ gigabytes of gathered legal data. But then I saw something that I can’t un-see,” Vickery wrote. “Twice, while Daniel Oppenheimer strangles to death, La Habra jail staff members walk past his cell and do nothing to stop it. In the video you can clearly see their reflections in the plexiglass as they walk by. I am calling on the Orange County District Attorney to take another look at this death video and act appropriately.”
The city’s law firm — Ferguson, Praet & Sherman’s — has a timeline of the events that unfolded in the LaHabra jail cell that differs slightly from information published in the District Attorney’s report, Vickery noted, omitting the fact that prison staff walked by Oppenheimer’s cell twice in nine minutes during the suicide.
An Orange County District Attorney spokesperson declined to comment, referring all questions to a Sept. 28, 2015 legal conclusion of the case. A representative of Ferguson, Praet & Sherman did not respond to CyberScoop’s request for comment.
Vickery, a prominent security researcher, notified the small law firm of its security stumble prior to publicly disclosing the rsync configuration issue.
Ferguson, Praet & Sherman “were very surprised to learn of the data exposure, but assured me that they had people looking into it,” Vickery told CyberScoop. “I did not directly ask them about the attorney notes indicating knowledge of the jail staffers walking past the dying inmate.”