Legaltech startups provide legal services to their customers that are partially or completely automated and thus can process many cases highly efficiently to claim consumer rights. However, with the degree of automation of legal procedures, the risk of completely automated data use also increases. The same thing has happened with two companies of the Legaltech industry in the last few months. The Caos Computer Club (CCC) took care of matters.
Advertisement
Forgot guit directors threatens data
Legaltech Euflight is committed to consumer protection. The company would like to help passengers to cancel flight or to implement their claims for delay and buy claims with discount (factoring). The collected passenger rights then apply eufflight compared to the airlines, even if necessary.
In early September 2024, security researchers Maithius Marx discovered accessible for all on a backnd website, possibly a faulty rolout process. The directory consists of internal metadata of the version control system prepared by Linus Torwalds, but also has a complete source code of affected applications. The key to a data money was hidden in it: Marx had access to data from several thousand eufflight customers and some database servers of the company through the backnd system. During its small forest through the Euflight system, the hacker also paid attention to the old password hash processes and inadequate certification mechanisms. Marx, Member CCCSwitch to the club. He in turn informed the company, which shut down the worst gap on the same day.
Euflight Managing Director Lars Wateman explained to Hease Security as to how it came on leak: when the handover for new IT managers, was a misunderstanding that allowed access to .GIT directory. The attacked software was “heritage”, that is, part of the company’s technical debt. Waterman continued several points criticized by the CCC. The backnd was open since July 2024, but apart from the CCC researcher, no one had accessed the directory. It has been removed for a long time, but now more improvement notices of hackers have also been applied.
Mathius Marx and UFLITE management switching to the responsible Data Protection Authority, but the company did not inform its customers. Because Euflight was probably lucky in misfortune: as the analysis of log files shows, only security researchers found security intervals and access open data. And so Waterman explained that a customer’s information was waived – finally, no data was lost.
The web server configured from the slope is open
A second data leak that an anonymous security researcher has informed the CCC is quite low. With Myright, it also affects a legal technique that helps its customers claim claims in many areas of life from bicycle accidents to loss of gaming.
USA Planning Ban on Deepsak – Security Researchers warnedIf the security researchers in Euflight had to read the PHP source code, at least lying independently of the backnd, Myright made it even easier for curiosity: a wrongly configured web server on Amazon web services Offered all types of documents for download. Open figures were the company’s open legal disputes and documents on its partner office. As security researcher Marx had explained the security of Hise security, unauthorized person could reach ID documents, vehicle letters, sports betting lists and other documents of 25,000 meths of customers.
This number cannot confirm the managing director of Myright, you can still determine which customers are potentially affected. Even after a week of informing the company and responsible Data Protection Authority by CCC on 27 January, it was still not clear how long the web server was open on the Internet.
On the same day, Myright also took a gossip web server from the net. The company now replaces data, 2-furious authentication and a better protected platform to share the deadline. In addition, Myright’s plan is an external paint and safety analysis plans, called bode, whose companies alert the Supervisory Authority on 30 January. There is no evidence of unauthorized access, the BOD continued, so customers have not been informed.
Depressed production
For both companies, the data leakage went out lightly – Vernacular would describe it as “more happiness” as the mind. Eventually, the two took the clues seriously and immediately patched the weak systems. And: Unlike CDU or modern solution, he did not make any criminal complaint against CT. Their process was found with harsh criticism and generated a “chilling effect”: from fear of legal vengeance against his explorers, security intervals are often infallible.
Many C’T-Investigative Research is possible only thanks to notes from notes.
If you are aware of a complaint, which the public should find out, you can send us information and material. Please use our anonymous and safe mailbox.
Company reporting practice is a podcast theme
It is not a separate case that sensitive data is lying all around through incorrect configuration. Whether using unsafe APIs such as in the latest data leaks, or open web server and data seductive and technology-often through researchers and attackers often require to use thanks to only manual administrators. According to Marx, now there is a certain habitual effect – often you search for hair -related data.
And the process of affected companies often raises questions after such breakdown. In the episode of the hes data protection podcast “Interpretation” published on 7 February 2025, hosts George Hyderrich and three Hees editors discussed whether the company’s reporting practice is sufficient. A controversial point: Companies often do not evaluate access to security researchers as foreign access by security researchers that make customers necessary to inform. But the data also flows here – and not every unspecified paintter is completely reliable.
(CKU)
Elon Musk is not already considered as Tiktok, Amazon and Microsoft
