2 min read

Law firm gave staff one master password for every account

A law firm let employees log in as any staff member or client using a shared admin password, exposing personal and health data.

Image: The Register

A law firm handed employees a single master password that could be used to log in as any user in its case-management system, according to a reader account published by The Register.

The story comes from an IT worker The Register identifies as “Manny,” who joined the firm a few years ago as a replacement for an entire team, effectively becoming its one-person IT department. He found that the company’s data and applications were housed in a large web-based interface split by client type, with separate areas for matters such as personal injury cases and travel refunds.

The bigger problem was access control. Manny said the system included a shared admin password that allowed anyone with it to impersonate staff or clients, as long as they knew the target user’s email address. That meant anyone holding the password could view sensitive personal information, including health records.

Recommended reading

Qantas avoids privacy probe after 5.7 million-record breach

“I immediately raised this as a huge security risk. But I was told, 'Oh that’s the admin password, everyone uses it. Don’t touch it.'”

Manny

According to Manny, the password was used for routine workarounds inside the firm: logging in as a sick colleague to reassign tasks, or signing in as a client to complete missing form fields. He described the underlying platform as 15 years old and badly in need of replacement.

When asked to build a new system, Manny said he refused to include the same kind of backdoor access.

“I point blank refused to add any back doors to it. So they promoted every user to a system admin and carried on, business as usual.”

Manny

The Register frames the episode as a case of security risks being ignored by management, even when technical staff objected. In this instance, the firm appears to have avoided immediate fallout despite leaving broad access to client data in place.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via The Register

// Keep reading