Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password protected database that held nearly 400k documents containing PII, partial credit card numbers, identification numbers, and other potentially sensitive information. The documents appear to be associated with the America Family Law Center and legal cases of their clients.
The publicly exposed database contained 394,614 PDF documents that disclosed personally identifiable information (PII) of clients and details about their payments and legal issues. The documents all mentioned the Dallas-based America Family Law Center, individual lawyers, and their clients and spanned several years. I immediately sent a responsible disclosure notice of my discovery. The only available email address bounced back saying the account was not actively monitored; the contact form on the website and the phone number goes to a call center. After numerous unsuccessful attempts to contact them, I also raised the issue with the Texas State Attorney General’s office, and the database was eventually restricted from public access several days later.
The America Family Law Center provides assistance primarily to low-income individuals who need help with legal issues that involve family law and parental rights, such as divorce, child custody or visitation, or child support. According to their website, the organization helps over 25,000 people per year. The database contained a wide range of attorney and client documents related to legal representation, agreements, payments and more. Some of the documents I saw revealed information that could potentially be a major personal privacy risk in the wrong hands. For instance, some documents in the database included statements from clients who believe the opposing party is a violent threat to them, their children, or property. Although multiple documents may be required for each client’s case file it should be noted that I did not see any duplicate files in the publicly exposed database.
According to their website, the center is a 501(c)(3) nonprofit charitable organization: America Family Law Center strives to provide family law help and assistance to individuals needing help resolving various family situations. Many situations involve family law and parental rights. The organization’s primary focus is on children and their relationships with their parents. Understanding how to navigate a divorce, child custody, child visitation, child support, and parental rights can be overwhelming.Here is a breakdown of how the records appeared in the database:
A total of 394,614 exposed documents in .PDF format.
12k protective order statements indicating potential domestic violence.
29k payment receipts that include partial credit card numbers and card type.
127k certificates of completion that contained electronic signatures, names, emails, phone numbers, and other information.
41k account statements that contained balances owed or paid, case ID, case number, and partial credit card numbers.
3k internal timesheets and hourly billing reports indicating how much time was spent on clients.
22 cardholder authorization forms that contain payment data, the last four digits of the credit card, and sometimes an associated driver’s license or passport number too.
28 “Things To Do” documents with instructions of what clients need for their case.
17k service agreements outlining what is and what is not included in the free legal services.
15k client policies that state what they are required to comply with.
4k hearing qualifying statements if the client believes that there is a threat of violence or damage to property once the other person is served court documents.
15k Client Resources documents that include additional information of client services provided as well as a list of those that are not provided.
17k Client Services Agreements.
200+ Decline of Service documents where either the client refused legal services or America Family Law Center declined to provide legal services.
9k Document Service Agreements.
28k evaluation acknowledgements containing hold and release forms for the client.
7k Legal-Document-Acceptance files showing a list of documents submitted or requested by clients.
** The file names identified the type of document and were easily searchable without downloading or extraction to calculate these total amounts**
America Family Law Center has additional programs, such as the Fathers Rights Initiative, Texas Volunteer Attorneys, and Children First Always. It should be noted that I did not see any documents from these organizations, and it appears that the database contained only information directly related to the America Family Law Center. According to information in the publicly exposed client resources document, the client gets unlimited consulting with an attorney, but not a court appearance, document services, filing, or other legal services that require additional fees or costs. Fees to the client for services typically range from $0 to $700 and continue for an entire year.
Protecting client records in any industry is extremely important, especially if they contain PII, sensitive, or confidential information. Legal documents often contain highly personal and sensitive information, including details about family disputes, financial situations, and personal histories that are not intended to be publicly exposed. I recommend that any organization implements a robust cybersecurity and data protection plan when storing client records in a cloud storage repository where there is a chance for the documents to be misconfigured and publicly accessible. Any potential data breach that exposes client documents associated with family law cases can pose significant risks to the affected clients.
It is extremely important that companies and organizations have an open communication channel for data incident reporting or privacy concerns. In this case, it took over a week for the notification to reach the correct person or persons responsible for the storage of data belonging to the America Family Law Center. Any delay between the discovery process, notification, and closing of the database increases the possible risks of additional individuals gaining access to the exposed documents. Potentially affected individuals should be notified or made aware of the data exposure. Furthermore, they must take basic steps to protect themselves and never give their personal information to anyone without verifying the person is who they say they are. To illustrate the potential risks, a criminal could contact the clients, pretend to be affiliated with America Family Law Center, and claim there is an outstanding payment or try to obtain additional personal information, such as banking details or their SSN. The criminal would subsequently have access to thousands of individuals and a wealth of insider information including case numbers and partial credit card numbers. I am not implying that any client was at direct risk but only wish to underscore the tactics employed in certain social engineering schemes.
To clarify our position, my intention is to provide accurate and relevant information while maintaining a neutral and factual stance regarding the data incident. Our reporting aims to raise awareness about the importance of cybersecurity and data protection in today’s digital landscape. We do not make any assumptions or accusations of wrongdoing regarding America Family Law Center, nor do we claim that the exposed data was at risk. Our reporting is based on available facts and information at the time of publication. We remain committed to providing accurate and responsible reporting on matters of public interest, including data breaches, while respecting the principles of fairness and objectivity. As an ethical security researcher I never download or extract data and only took a limited number of screenshots for verification purposes and were redacted for privacy protections.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.