DALBIR Singh & Associates, P.C. Law Firm—known as DSD Law—had a misconfigured Amazon bucket that exposed client files, with the bucket reportedly containing more than 110,000 files before it was secured again. DataBreaches[.]net first flagged the exposed data for the firm on March 5 after being alerted by a researcher, and the outlet later reported that the bucket remained accessible and could have been downloaded by anyone, including government agents, without a password.
By April 3, the bucket was secured, but then it appears to have been exposed again, and KillSec’s onion leak site showed DSD Law Firm listed with proof of claims and a countdown clock, according to DataBreaches. DataBreaches describes this as a protracted communication challenge, including failed attempts to reach the firm and its associated entity, Sprint Legal, LLC, and notes there is no notice on the firm’s website about any data security incident from March.
The outlet has urged the New York State Attorney General’s Office to intervene to ensure proper notification and a cybersecurity programme and incident response plan in line with state expectations.