Johnny’s Data Diving Part 1: New York Firm Law360 Leaks Israeli Intelligence’s Personal Data
Law360 clueless and ineffective in response to data breach
I was searching for potential sex offenders when I stumbled across an interesting data leak. An accounts executive for a New York legal advisory firm, Law360, had opened up her hard drive by not being more careful with which folders she was sharing, a common problem in the modern digital world. I began downloading the various Law360 contracts and other personal data and putting them in secure folders. Of late, I have my eyes peeled for any companies who fail in their legal duty to protect their customers and employees personal data and a legal firm responsible for the leaking was irresistibly ironic. This would be the 2nd large company who I had compromised in a matter of days. These are the types of companies where the lower paid employees would be fired for leaking data, but where the higher paid executives and managers live by different rules.
Law360 isn’t your standard firm of lawyers. They position themselves as industry specific media and journalism focused legal advisory, however they have more to offer to their wealthy clients than just legal reporting. Law360 offers their customers one of the most expensive “email newsletters” on planet Earth. The newsletter subscription client contracts that I had downloaded were costing users between $1400.00 and $18,000. The lower priced contracts were receiving basic packages but the more pricey contracts allow their customer access to some of the largest legal databases in the US.
So, who are some of the clients using Law360?
On the lower tiers there are companies who have obvious legal liability issues. The CBD cannabis producers, High Roller Private Label have an annual subscription starting on March 1, 2020 and they pay $1,440.00 for the service. Halozyme Therapeutics describes itself as a U.S. biotechnology company that develops novel oncology therapies designed to target a tumors microenvironment and licenses a drug delivery technology through corporate partnerships. Halozyme pays $1,750.00 for an annual subscription to the email newsletter. Another legally precarious US company who have low level subscriptions include Mike Baker at Jakes Fireworks. So, an American fireworks supplier, a novel oncology therapeutics developer, and a cannabis producer specialising in CBD related medicines. It is clear that these companies may need to know of any industry specific legal changes.
The organisations who pay a medium subscription for Law360’s email newsletter include Haig Capital Group, BevNet.com inc, Huron Consulting Group, Ollie Leech from Bitcoinist.com, History Associates, and Blue Vista of Chicago who pay Law360 $5,440.00 for the annual subscription.
The biggest contracts include one very notable and sinister company. The big spenders are B.C.Strategy Ltd, HKA inc. Marketing and Communications, Bottomline Technologies and Height LLC. And the two largest spenders from this Law360 data leak seem to be Boenning and Scattergood paying $16,445.00 for the service and US health insurers Blue Cross Blue Shield under Louis Patalano - who now works as Chief Legal Officer for Sentara Healthcare - pay $17,965.00.
Did you notice B.C. Strategy sitting at the beginning of the higher tier group? Do you know who they are? B.C. Strategy is a private Israeli intelligence agency based in London. They are referred to simply as “Black Cube” and can be considered as the public face of Israel’s official intelligence agency, the Mossad. New York and London are both welcoming foreign hubs for Israeli intelligence operations.
So, what does Black Cube require from Law360? The obvious answer is data, masses of data. If Black Cube is gaining full access to all the legal databases Law360 have on offer then that is a massive amount of personal data for the Israeli intelligence firm to catalogue. This is vital personal information which intelligence agencies like Black Cube can use to influence a subject or groups, or simply pass on to allied intelligence agencies and/or commercial data gatherers. Like many shadowy entities, Black Cube wants as much of people's personal information as possible and the American government is allowing that to happen. There are big companies like Law360 which is run by Portfolio Media inc. are openly selling access to legal databases to a foreign intelligence agency and nobody’s stopping the actions which are essentially treason.
I contacted Law360 to explain how I had just downloaded their private company data from a technologically naive employee. I was very interested to see how the New York law advisory firm, which is a subsidiary of LexisNexis, would react to such a data leak.
I explained to the Law360 customer services department:
“Hi, I'm about to publish an article about Law360 leaking sensitive company and personal DATA. I want to give the right of reply for some very serious accusations of negligence at Law360. Could you please give me the contact emails for your legal department and press office so I can make them aware and officially give Law360 a right to reply. Email me. Thanks.”
I quickly received a very defensive, yet seemingly complacent, response from a member of Portfolio Media’s general counsel, Robert Polsky:
“I'm in receipt of your correspondence. Please describe in detail any information you have that forms the basis of your allegations below. We are not aware of any basis for the allegations you make and are troubled by your threat to publish what on its face appears to be a defamatory article about our company. Needless to say we will zealously defend ourselves and our reputation.”
I had expected them to come out fighting, even before they knew what they were being accused of. I had also not mentioned Israeli intelligence yet, or they probably would have never replied. So I responded:
“Thank you for your quick response. I understand that your company will “zealously defend” yourselves and your reputation. But to do so before you understand the accusations is probably unwise. And my message was not a threat, I am giving your company primary right of reply to the accusations, and sending you a preliminary draft of the story, before I ask the same of LexisNexis and the customers who have been affected by your DATA leak in around 48 hours. I am willing to give you time to discuss your response before I release the article to anyone else. That’s quite polite for a journalist.
As for the accusations. You are completely guilty of leaking some of your top clients personal data. There is no doubt that the leak came from your company and the level of irony is off the charts. I don’t take well to threats, intimidation, or mincing of words. If you do not wish to reply to the article then please say so and I will continue to the next stage of right to reply requests.
Sir, your company has leaked the personal data of Black Cube, the private Israeli intelligence agency. This is a fantastic story for an independent journalist like myself and I have no fear when I write any article. I have already ruffled big feathers with my previous pieces and I will continue to do so. I’ll also attach some of the personal data that your employee has been legally sharing with the entire world.
Please think through your next response as I’m very busy and so are you. A secure source will publish the article automatically if anything negative happens to me.”
There was then a long pause as rooms full of Law360 attorney’s discussed the correct response. I had thrown the cat amongst the pigeons. For me, the irony of them leaking Black Cubes personal data was some of the richest I’d ever tasted. And it wasn’t any old geezer who’d come across it; I research intelligence agencies and their sinister methods of data gathering. I wasn’t even looking for intelligence related material when I stumbled across the documents being legally shared online. The next, and final, correspondence from Robert Polsky was much more contrite and direct.
“Thank you for reporting this to us. We appreciate your disclosure. We quickly investigated and remedied the issue and have contacted customers who may have been impacted. We note that you have included the individual employee’s name in your draft article. We request that you consider removing and/or redacting her name given that this could cause emotional distress or personal harm to her.”
I agreed to leave their employees name out of the article as her actions had no malicious intent and she had simply been naive. But I was really surprised by Law360’s response to the data leak. Mr. Polsky had failed to check how many times their security had been breached, he didn’t ask for a complete list of the leaked data to verify the correct customers affected, he made no attempt to secure the lost data, and most importantly, I was not asked to delete any of the leaked information. I do believe that he reported the issue to Black Cube, and some of the other major accounts, but I talked to some of the customers who had had their data leaked only to eventually believe that Robert Polsky had lied to me about Law360 notifying their customers. A firm of lawyers lying, who’d believe it? That should concern all of their clients. I’m not even sure that anyone at Law360’s top offices are actually trained in effective data protection.
With no purposeful attempt to establish the true severity of the data breach, Law360 have let down their customers and they have run roughshod over global data protection laws. I decided that there was no point in talking to a well buffed marionette and his twisted puppeteers.
It was such an ironically fantastic double bill. A legal firm leaking information and some of the leaked personal data being from Black Cube, surely that can’t be beaten. But nowadays the world is drowning in irony.
P.S. Johnny Vedmore is an investigative journalist, musician, data angel, and he also hunts sexual predators. You can find his articles, music, videos and more at JohnnyVedmore.com. Support independent journalism!