Spain's official court intranet system, known as LexNET, was shut down urgently on Thursday afternoon after lawyers pointed out a breach in the permissions system that allowed any lawyer in the country to see the files and folders of any other lawyer in the country, related to any case in the courts system.
LexNET is the system through which Spanish lawyers receive court notifications about the status of their client's cases, and to file documents with courts related to criminal, civil and administrative cases.
A lawyer in the southern city of Cartagena, José Muelas Cerezuela, announced on his Facebook page that he had discovered a "security failure in LexNet of such proportions that it allows any LexNet user to see the folders of all the other lawyers in Spain".
He told The Spain Report on Thursday that some colleagues of his, whom he declined to name or describe, had made him aware of the "programming error" on Wednesday and that they had attempted—unsuccessfully at first—to warn the Ministry of Justice.
"It looks like a typical programming error", he said: "not something you need a Master's Degree in hacking for".
By guessing or forcing another lawyer's identifier, it would be possible to access all of the documents in the system.
Mr. Cerezuela explained the rest of the hack to The Spain Report in detail, but we agreed to withhold description of it until he was satisfied the Ministry of Justice had fixed the failure.
Not only could a lawyer see another lawyer's files, he explained: "he could even download notifications" from the court system. These inform lawyers of the status of all of their cases.
A solicitor's deputy in the city of Murcia, Antonio Rentero Egea, explained that LexNET was like "an e-mail inbox between lawyers and the courts", for notifications and trial documentation, including evidence photos, bank statements, home addresses, social security details and procedural documentation.
"All of it would be available for a hacker to see, and all of the past cases for a particular lawyer."
Mr. Rentero said the breach was "very grave", given privacy and due care implications: "This opens up a whole range of issues with Data Protections laws".
Mr. Muelas explained that he had tested the breach with colleagues from his own office in Cartagena, "with their permission, of course", before informing the Ministry of Justice.
"There are a thousand evil uses of this", he said: "the big question is how long it's been there, and we don't know".
The Justice Ministry's LexNET Twitter account announced at 3.23 p.m. that the whole system was being shut down "until further notice".
An hour later, at 4:23 p.m., LexNET said the problem had been fixed. At 4:35 p.m., it said the service was "working normally" again.
The Ministry of Justice said it would issue a statement regarding the incident on Thursday evening, but had not responded further to requests for comment at the time of publication.
Published: 12:02 am, Jul 28 2017 (link)
PSOE Tables Parliamentary Questions On LexNET Failure
Two Socialist Party (PSOE) MPs, Isabel Rodriguez García (Ciudad Real) and Juan Carlos Campo Moreno (Cádiz) quickly registered questions in parliament on Thursday evening related to the failure of Spain's judicial intranet, LexNET.
Noting that the system has been problematic since it was first implemented nationwide a year and a half ago, the two MPs want to know:
- How big was the LexNET security failure and what were its characteristics?
- Which sensitive material, precisely, was left vulnerable?
- How long has the error existed for? Did the failure originate in the system?
- What is going to be done to fix the error and offer users peace of mind?
Published: 3:06 pm, Jul 28 2017 (link)
Spanish Judiciary To Investigate LexNET Data Breach
Spain's Judicial Council (CGPJ) announced on Friday that it had opened an investigation into the countrywide data breach in the judicial documentation system.
The judges want to "clarify the possible failure of the electronic communications security system for the Administration of Justice under the control of the Ministry of Justice (LexNET)" in case personal data protection laws were broken.
The Council held an extraordinary meeting on Friday morning after finding out about the failure "in the news media and on social media".
It has asked the Ministry of Justice to cooperate with its investigation.
Published: 7:39 pm, Jul 27 2017 (link)
Justice Ministry Blames Programming Error For Intranet Failure
The Spanish Justice Ministry issued a statement on Thursday evening blaming a "programming error" for the breach, related to the introduction of a new multi-inbox feature for using the system where lawyers could take over each other's work with permission from the other: "[this] allows access to other users' inboxes".
The ministry admitted a "defect in the access control" had been detected, but insisted that the problem had been "completely fixed" within five hours of their technicians being made aware of the hack on Thursday.
The statement said the system had not identified any "unauthorised access to LexNET inboxes" and that it, in theory, prevents any unauthorised access from users who do not have a security certificate.
The ministry has launched an internal investigation to "uncover the details that have caused this incident".
Published: 12:31 pm, Jul 28 2017 (link)
Spain's Leading Consumer Association Slams Justice Data Breach
Facua, Spain's leading consumer association, issued a statement on Friday morning excoriating the Ministry of Justice for the massive data security failure in the country's LexNET judicial intranet that was uncovered by lawyers on Thursday, which it labelled "a very grave negligence".
The system had "an enormous security hole whose consequences will be impossible to fathom".
The gaping hole was a "massive scandal" that exposed citizens' names, surnames, ID numbers, phone numbers, addresses, bank accounts, social security details, tax details, court proceedings, fines and criminal records.
"The government is trying to cover up the magnitude of what has happened", said the statement, adding that it is impossible to know if there are more errors in the system because the source code is kept behind closed doors.
It is "very serious and worrying" the platform is in the hands of the Ministry of Justice and not judges.
Published: 4:31 pm, Jul 28 2017 (link)
Ministry of Justice Announces 3-Day Shut Down Of Judicial Intranet
The Ministry of Justice announced shortly after 4 p.m. on Friday—via Twitter—that it was again shutting down the country's judicial intranet, this time for three days.
The system will be down from 4:30 p.m. on Friday evening (July 28) right through to 8 a.m. on Monday morning (July 31).
The tweet cited "technical maintenance tasks" but did not add further details about what the new problem might be or why the shut-down period needed to last three days.
The few Spanish lawyers who saw the ministry's tweet complained in the comments about the short notice and that they had to find out via a Twitter account.
After a one-hour closure on Thursday, the service announced it had, in theory, fixed the breach.
The Ministry was not immediately available for further comment on Friday afternoon.
Published: 10:56 pm, Jul 28 2017 (link)
Spanish Solicitors Say Justice Minister Calls Weekend Crisis Meeting
Spain's solicitors council (CGPE) announced on Twitter on Friday evening that the Justice Minister, Rafael Catalá, had called the chairman of the council to announce a weekend crisis meeting "to solve the problems with LexNET".
The announcement follows an earlier notification from the Ministry of Justice that the entire system was—very unusually—being shut down for three days, until 8 a.m. on Monday.
Monday is also supposed to be the last working day for the whole Spanish judicial system before the month-long summer break in August.
Pressed by The Spain Report late on Friday evening, a Ministry of Justice spokesman would neither confirm nor deny the news from Spanish solicitors about the Justice Minister and the urgent weekend crisis meeting.