What’s Going On?

After further investigation, we have concluded that these documents belonged to people injured or deceased in traffic accidents. All court cases had several types of documents containing the following info regarding the victim:

PII’s such as: Name and Surname National ID number Gender Marital Status Birthdate Details about the insurance such as: Insurance Company Details/Name Dossier No Policy Issuance date Victim’s past and future expected salary Accident details such as: Accident’s/Death’s date Report Date Fault rate

Some of the court cases had more information about the victim or involved other people. This included parties such as victims beneficiaries, other parties involved in the accident, police officers, prosecutors. While investigating, we have also stumbled upon the following kinds of documents:

Documents sent to insurance companies containing: Name and surname of involved parties Vehicle license plates Date of accident Severity of the injuries Incident reports taken at the accident site by the police officers containing: Detailed information about how the accident took place Vehicles involved and damages caused to them Both parties insurance information Drivers names, surnames, national ID’s, birthdates, phone numbers, driver’s license information A summary of the accident in handwriting Sketch of the accident Information about the police officers who held the report Photocopies of drivers licenses Photocopies of vehicle licenses Photocopies of alcohol breathalyzer tests Police complaints post-accident containing: Name surname of the complainant Mothers and fathers names Birthplace and birthplace Residency address Profession Phone number Education level Marital Status Gender Signature of the complainant Testimony of the other party containing: Name surname National identifier Mother and father’s name Birthdate and birthplace Residency address Profession Workplace address Email Phone number Education level Marital status Gender Signature Judicial committee reports containing: Name, surname Birthdate National ID Birthdate Phone number Medical history Reports from multiple hospitals about the victim’s injuries and the condition Symptoms Administered drugs Epicrisis report Decisions like how long the victim will need care, how long they can’t work for Doctors name Hospital dossier no Advance capital value reports containing how much money is owed by the insurance to the victim, Documents sent to court in objection to court experts’ calculation of how much insurance companies owe each of the victims Legal papers including Name surname Address National identifier Bank account details Power of attorney information Emails between lawyers and the clients

How Did the Data Breach Happen?

Whose Data was Exposed and What Are the Consequences

Leaked data contained information about more than 15,000 clients of Inova, people who had accidents and hired Inova between the start of 2018 and end of summer 2020. If you had a traffic accident in the last 5 years, odds are Inova was involved with your court case at some point. Although your data may not have been found by anyone else, in case any ill-intentioned hacker discovered it, here are some of the risks people exposed could face:

Phishing Scams and Malware

People whose data might have been exposed need to be extra careful since they can run into scammers masquerading as law enforcement, prosecutors, or lawyers. Scammers like this are pretty common in Turkey. The leaked information also contained the amount of relief funds victims and their families received, so scammers could target people who recently received large amounts of money from the court. Since these documents also leaked information about the court case that only lawyers, insurance companies, and other officials should have access to, like dossier number, accident details, client details, as well as phone numbers; always be sceptical about people calling you about your past court cases and asking for money or information.

Identity theft

With large amounts of identity information being leaked about the clients in this breach, criminals can use it for identity theft. With details like a client’s beneficiaries, national ID numbers of them and their beneficiaries, and phone numbers being leaked, some of the more elaborate identity theft cases could be executed. With some social engineering, bad actors or criminals could contact a GSM operator, masquerading as the victim, and verify all kinds of verification questions GSM operators would ask to clone a SIM card. After having access to victims’ phone calls and SMS messages, bad actors could then try to do the same operation with clients’ insurance and bank.

Corporate Espionage

Some competitive corporations will be able to contact individuals whose court information was leaked and try to convince them to hire their company instead. This is made easier since competitors will have access information from Inova’s clients.

Blackmails and Threats

Leaked documents include information such as police officers who have kept the reports; documents sent to prosecutors from police officers; names and surnames of the judicial committee members. Personal information like this could cause these individuals to be harassed or blackmailed by people involved in such cases since their identities have been leaked.

Bribing

With the amount of sensitive information in these papers, people involved in one of these cases could attempt to find and track other people involved in the case. This will lead to a rise of attempts to bribe officers to make decisions favoring them, bribe them to suppress them, or change their statements.

What Can I Do to Protect My Data?

With cases such as these, it is unusually difficult to protect your own data because it is often in the hands of the company you are working with. Make sure to send only the necessary information they need and ask them what kind of security measures they are taking to keep your private data private. If you are a European citizen, contact the company that needs your private information and ask them what kind of measures they implemented to comply with GDPR laws. In this particular case, Turkey has its own set of laws against the improper handling of personal data, named KVKK. We highly recommend people to reach out to Inova and make sure the leak is properly handled. In any case, never trust anyone asking for personal data over the phone, if you receive calls related to your accident, please inform your contact at Inova and make sure the request comes from them.

How and Why We Discovered the Breach

At Wizcase, we are constantly scanning random parts of the internet to find data breaches and to get the data secured before criminals can find and abuse it. As this bucket was left public, without any configuration to protect the files, it could have been discovered and accessed by anyone with the URL. We’ve seen that this bucket also contained technical logs from the company infrastructure that was not accessible to us without proper authorization. Even though authorization mechanisms were there, they were not in place to adequately protect the important files that were found inside the bucket.

Who is Wizcase?

WizCase is one of the biggest international online security websites, with content translated to 30 different languages. We provide tools, tricks, and best practices for online safety and security. This includes detailed VPN reviews and tutorials. Our online web security team of White Hat hackers have uncovered some of the most significant data breaches, including unsecured webcams and dating site scandals. Not only do we release our reports to the public, but we disclose them to the company as well, allowing them to secure their serves and creating a more secure environment for everyone.