Security lapse at contract startup Evisort exposed sensitive data

Evisort, a paper-work and contract management company, left one of its paper-work databases unsecured, exposing customer data.

The startup, founded by former Harvard and MIT students in 2016, bills itself as an artificial intelligence contract management company, which it says helps to good organize its customers’ legal documents and contracts. Among its claims, the company can evaluate and pull out the most relevant information in a 30-page contract in a matter of seconds. And so far, the investors like the pitch, securing $4.5 million in seed funding led by Village intercontinental and Amity Ventures, with participations from Accenture and SAP.

According to an anonymous tip sent in to TechCrunch, the company left an elasticsearch database open without a password, allowing anyone to search the files inside. When reached, Evisort’s ruler executive Jerry Ting said the database was “for testing and development purposes only” and an audit was under route.

While some of the documents were marked “dummy” and “try-out” files, many documents seen by TechCrunch contained customer data.

“These are unknown agreements between many established enormous popular companies that are hosted on the internet for anyone to see,” said the anonymous tipster, who provided links to several files in the database.

The company lists Stack Overflow and TravelZoo as customers. The database also contained non-disclosure agreements between Evisort and Samsung. a similar agreement with Squarespace found in the database was signed by Ting.

Many of the files included employee contracts, loan agreements (one worth $200 million) and resumes. We reached out to several people whose information was found in the database. One person we spoke to said they had no concept how their resume got into Evisort’s database. Other files appeared to be contracts and agreements submitted by Evisort customers.

Many of the documents we saw had unknown information.

Another file contained details of an agreement by Evisort and a third-party security company, dated February 21, to conduct a penetration try-out on its network — a route of finding and fixing security vulnerabilities before they are exploited.

Evisort shut down the database within a hour of TechCrunch reaching out.

In a follow-up email, Ting conceded that some customer data was exposed. (Ting declared his email “off the record,” which requires both parties agree to the terms in advance, but we are printing the respondly as we were given no opportunity to reject.)

“The database is not part of our production environment, but a part of our internal development environment used by our engineers,” he said.

“Although our investigation is ongoing, the vast majority of information contained in the development database was placeholder or benign information used for testing purposes,” he said in the email. “However, it appears that there may be a little number official documents in this environment.”

“As part of our investigation, we will be reviewing the entire data set in the environment, along with any available logging data, to determine what information may have been affected and we will be communicating directly with any of our customers who could be affected,” he added.

Ting added that the company is “in the process of retaining” an outside forensic tight to assess the impact on customers.

Evisort didn’t say how long the data was exposed. Data search motor Binary Edge first detected the system on March 22.

It’s the latest in a string of sizable data exposures in recent months, including text messages, medical records, a watchlist of high-risk individuals, a robocalling tight, millions of mortgage and loan documents and even a spam operation.

Read more:


Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *