Skip to main content


  • AddRemove
  • Build a Report 
Media Coverage

Law’s Lessons Learned From the “CloudBleed” Leak

2 March 2017
Legaltech News

Microsoft assistant general counsel Dennis Garcia predicted that “Big Law will be in the cloud within a year.” But reports of a data leak from a popular internet security company CloudFlare may put already tech-phobic lawyers on edge about moving data further into the online space.

CloudFlare, a self-described “web performance and security company,” reported the bug on February 23, explaining that one missed character in a bit of code had pushed bits of random sensitive client data, including passwords, web authorization tokens, and private messages to smaller web clients, to be published online. That information may have been cached by search engines and may have been recorded by data scrapers looking to exploit sensitive information.

Tavis Ormandy, a computer security staffer at Google’s Project Zero, identified the bug and reported it to CloudFlare, who promptly corrected the error. The bug has been commonly referred to as “CloudBleed,” a reference to the Heartbleed bug in OpenSSL exposed in 2014 that exposed thousands of private user keys and session cookies, allowing hackers to potentially impersonate users.

Kroll’s Los Angeles managing director Erik Rasmussen said the leak doesn’t seem to have caused much, if any, data exposure for law firms and legal departments. For all the noise about cloud adoption among legal service providers, Rasmussen said that not enough firms and departments have really adopted the technology to generate a major impact from a leak like that of CloudFlare.

“The impact has been low because most legal entitles, even in the bigger entities, don’t really use cloud services yet,” Rasmussen said, adding that Kroll hasn’t heard any concern from legal clients about potential compromises. CloudFlare’s clients are largely smaller and mid-sized consumer-facing businesses.

Marcus Christian, partner at Mayer Brown, noted that because the memory leak was caused by a programming error and not necessarily a hack vulnerability (where a fixed starting point might be more easily identified), identifying the exact exposure law firms and legal departments is a little murkier.

“I think in general it’s really hard to know what kind of impact it’s made,” Christian said. “The number of websites that could have been affected is pretty high.”

Indeed, because the potential size and scope of the memory leak is difficult to discern, the CloudBleed leak has caused a lot of anxiety in the tech community. While information security teams generally prepare for the possibility of data breaches caused by either external hackers or internal leakers, CloudBleed presents something of a confounding case.

“This company that was impacted is one that was deemed to be enhancing security, not actually creating vulnerabilities,” Christian said.

Christian encouraged law firms and legal departments to recognize that software is built by humans—code glitches are just another fact of the threat landscape that information specialists will have to safeguard against. “One of those realities we always re-state is we’re an imperfect world with imperfect people and imperfect security,” he said.

“I think that people think there’s going to be a silver bullet to protect technology. To date, that silver bullet hasn’t been found. We shouldn’t be relying on or planning for that day to happen,” Christian added.

Zach Olsen, president of PR firm Infinite Global, specializes in data breach communications. He said that his legal clients have expressed some concern about CloudBleed, as they typically do about any high profile threat to data security. While he hasn’t had any clients be directly impacted by CloudBleed to date, he noted that smaller firms, who are strapped for data security resources, “are especially vulnerable because they need to spend the same amount of money as a megafirm on protecting their stuff.”

But while the more established cloud services typically run their prices high, Rasmussen encouraged smaller and mid-sized firms to consider that cloud services “when properly implemented are some of the most secure and cost efficient ways to store data.”

“It’s no secret that to have the most secure cloud service, you have to pay more money than the out of the box solution. Most people would agree that the ‘out of the box’ solution is better than no solution,” he said.

For those still concerned about potential impact, Olsen, Christian and Rasmussen all encouraged attorneys to consider changing their passwords and using two-factor authentication. If any credential information has been leaked, securing your authorization credentials can at least help users stay ahead of threat actors looking to access their systems. Christian also suggested that users on mobile apps should log out and log back into apps with sensitive data.


Reprinted with permission from the March 2 edition of Legaltech News © 2017 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.

The Build a Report feature requires the use of cookies to function properly. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently. If you do not accept cookies, this function will not work. For more information please see our Privacy Policy

You have no pages selected. Please select pages to email then resubmit.