Security lapse at contract startup Evisort exposed sensitive data

Evisort, a document and contract management company, left one of its document databases unsecured, exposing customer data.

The startup, founded by former Harvard and MIT students in 2016, bills itself as an artificial intelligence contract management company, which it says helps to better organize its customers’ legal documents and contracts. Among its claims, the company can evaluate and pull out the most relevant information in a 30-page contract in a matter of seconds. And so far, the investors like the pitch, securing $4.5 million in seed funding led by Village Global and Amity Ventures, with participations from Accenture and SAP.

According to an anonymous tip sent in to TechCrunch, the company left an Elasticsearch database open without a password, allowing anyone to search the files inside. When reached, Evisort’s chief executive Jerry Ting said the database was “for testing and development purposes only” and an audit was under way.

While some of the documents were marked “dummy” and “test” files, many documents seen by TechCrunch contained customer data.

“These are confidential agreements between many established large famous companies that are hosted on the internet for anyone to see,” said the anonymous tipster, who provided links to several files in the database.

The company lists Stack Overflow and TravelZoo as customers. The database also contained non-disclosure agreements between Evisort and Samsung. A similar agreement with Squarespace found in the database was signed by Ting.

Many of the files included employee contracts, loan agreements (one worth $200 million) and resumes. We reached out to several people whose information was found in the database. One person we spoke to said they had no idea how their resume got into Evisort’s database. Other files appeared to be contracts and agreements submitted by Evisort customers.

Many of the documents we saw had confidential information.

Another file contained details of an agreement by Evisort and a third-party security company, dated February 21, to conduct a penetration test on its network — a way of finding and fixing security vulnerabilities before they are exploited.

Evisort shut down the database within an hour of TechCrunch reaching out.

In a follow-up email, Ting conceded that some customer data was exposed. (Ting declared his email “off the record,” which requires both parties agree to the terms in advance, but we are printing the reply as we were given no opportunity to reject.)

“The database is not part of our production environment, but a part of our internal development environment used by our engineers,” he said.

“Although our investigation is ongoing, the vast majority of information contained in the development database was placeholder or benign information used for testing purposes,” he said in the email. “However, it appears that there may be a small number legitimate documents in this environment.”

“As part of our investigation, we will be reviewing the entire data set in the environment, along with any available logging data, to determine what information may have been affected and we will be communicating directly with any of our customers who could be affected,” he added.

Ting added that the company is “in the process of retaining” an outside forensic firm to assess the impact on customers.

Evisort didn’t say how long the data was exposed. Data search engine Binary Edge first detected the system on March 22.

It’s the latest in a string of sizable data exposures in recent months, including text messages, medical records, a watchlist of high-risk individuals, a robocalling firm, millions of mortgage and loan documents and even a spam operation.

Read more: