Detailed and potentially sensitive information uploaded by firms including Weil, Gotshal & Manges, White & Case, Baker McKenzie and DLA Piper was left "exposed" on an open database platform, according to a report by a cybersecurity firm.  

The cache of data, which included Companies House forms, partial security authentication details, business email addresses and encrypted passwords, were accessible on a historic database owned and operated by British tech giant Advanced Computer Software, the report says.

Data from hundreds of law firms was on the platform, according to the post by TurgenSec. Other top firms affected were Hogan Lovells, Clifford Chance, Slaughter and May, Fieldfisher, Dentons UKMEA, Addleshaw Goddard and legacy Olswang—now part of CMS.

The company lists more than 190 law firms with data on the platform, including 49 with primary data on the platform including hashed passwords, usernames and IDs. 

Clifford Chance confirmed in a statement that a review had taken place, while a person with knowledge of the situation said DLA Piper had launched a "full and thorough" investigation following the incident.

According to a post by TurgenSec, the Advanced team interacted with an open server and did not use unauthorized credentials, brute force password guessing or any other unlawful process.

The cybersecurity firm added that the identified databases appeared to contain information relating to the staff of legal firms, and in some cases, potentially sensitive data relating to authentication on behalf of clients.

In a statement, Advanced director of security and compliance Justin Young said the firm had taken immediate steps to "address the issue, secure the data and make contact with the small number of affected customers."

Young added that the data in question related to commercial property transactions and was largely of public record on Companies House and predated 2017.

Other data on the platform consisted of business email addresses, passwords and security verification responses. Young added that all passwords on the affected platform were in secure hashed form, and noted that "security verification responses consisted of the first three letters of the response only and therefore resulted in a very limited amount of additional information being discernible from the platform."

"None of the data is deemed sensitive or special category under current legislation. We have taken legal advice to verify our position," Young said. 

A spokesperson for Clifford Chance added: "We take the security of our data and systems, including those provided by third parties, extremely seriously. Our detailed analysis, based on our own review and on input from the supplier, has confirmed the discernible data from the firm was limited and historic and only partially visible. Any client data was already a matter of public record and no longer private or confidential."

Slaughter and May and Hogan Lovells declined to comment. Weil, White & Case, Baker McKenzie, Fieldfisher, Dentons UKMEA, Baker McKenzie, Addleshaw Goddard and CMS had not responded to requests for comment at the time of publication.