The Everest Group hit a notary firm and this data breach is likely to have truly dramatic connotations considering the type of target and the amount of data exfiltrated. Let us take stock of the situation.
General Information
On 17/07/2024, the cybergang Everest published a claim against the Bucci – Olmi Notary Firm, with a data exfiltration of 400Gb. The information, according to Everest, will be made public by 20/07/2024. The report, as always, was received promptly through the Ransomfeed.it channel and is reported below.
From the sample files published by the Everest group, one can see the presence of identity documents, forms for the variation of items relating to a property, but above all copies of notarial deeds among which the initial part of a succession stands out.
History of events
- 15/07/2024 – Creation of the folder for public distribution of files
- 17/07/2024 – Everest Group claim
- 24/07/2024 – Uploading files to the publication portal but without giving notice
- 26/07/2024 – News of the publication of files by the Everest Group
Overview of risks
Notarial deeds are documents containing personal data and are special data due to their sensitivity: succession deeds, sale and purchase deeds, company deeds, which should be kept confidential and are currently in Everest’s possession. Studio Notarile Bucci-Olmi deals, among other things, according to their website, with:
- Buying and selling real estate;
- Mortgages and financing;
- Wills, successions, protection of heirs;
- Consulting and drafting of articles of incorporation and amendments of partnerships and corporations;
- Drafting of minutes of meetings and minutes of board meetings in the form of a public deed;
- Corporate consulting for incorporations, mergers, demergers, transformations and extraordinary capital transactions;
- Chamber of Commerce Visits and extracts of deeds from the Register of Companies;
- Acts related to the management of residence permits.
A 400Gb mass of data is large and potentially very extensive: it may include hundreds and hundreds of deeds, scans, personal documents, invoices, etc.
INVOICE DATA
Date: 17/07/2024
Invoice: 003
CUSTOMER
LUCA ROSSI
VIA STRADA 1 - 00100 - ROME
F.C.: RSSLCU85M01H501L
SUBJECT
INHERITANCE OF MARIO ROSSI (ADDITIONAL BENEFICIARIES: LUCA ROSSI C.F.: RSSLCU85M01H501L; MARIA BIANCHI C.F.: BNCMRA92T41Z404D; GIORGIO VERDI C.F.: VRDGRG74A01F205X; SARA NERI C.F.: NRISRA88E41H501U; FRANCESCO FERRARI C.F.: FRRFNC81L11D704K; FRANCESCO FERRARI C.F.: FRRFNC81L11D704K; SARA NERI C.F.: NRISRA88E41H501U; FRANCESCO FERRARI C.F.: NRISRA88E41H501U; SARA NERI C.F.: NRISRA88E41H501U).F.: FRRFNC81L11D704K; ELENA COSTA C.F.: CSTLNE79P41E200Z; MARIO ROMANO C.F.: RMNMRR90B01F205Y; GIULIA GATTI C.F.: GTTGLI95S41H501E; ANDREA ESPOSITO C.F.: SPSNDR83R01H703J; LAURA MARINI C.F.: MRNLRA87M41Z404S)
A reconstructed example of a stolen invoice from which one can see not only the data of the first holder but also the data of the other holders. It should be noted that the report made by Ransomfeed.co.uk was at 01:35 AM and was promptly acknowledged.
At 12.46 p.m. on 17 July 2024, no notice appeared on the notaries’ official portal giving the news of what had happened, but this does not mean that private communications had not already started via other channels.
The Bucci-Olmi Notary Studio
Studio Notarile Bucci – Olmi is based in Ancora and is managed by two notaries: Renato Bucci and Luigi Olmi. The history of the firm is fully described on its official website.
The associated firm was established on 1 September 1978 under the name of ‘Studio dei Notai Guido Bucci – Giuseppe Salvatore – Ugo Salvatore’, when the three owners decided to combine their professionalism and skills in order to guarantee a better service to clients. After the untimely death of notary Giuseppe Salvatore, the firm continued its activities with the two owners Guido Bucci and Ugo Salvatore until 17 June 2006, when notary Luigi Olmi joined the association. He was appointed notary in Ancona by decree in May 2006, after having passed the competition announced by ministerial decree in December 2002. In January 2007, notary Ugo Salvatore, after 48 years dedicated to the profession and representation in notarial bodies (he was President and member of the District Notary Council, member of the National Council of Notaries, secretary of the National Fund of Notaries and member of Notarial Competition Commissions), ceased his activity, without, however, failing to make his contribution to national bodies as representative of retired notaries at the National Fund of Notaries, a position he held until 2013. In April 2012, notary Renato Bucci joined the association. After practising in the Turin district following his appointment on 28 June 2011, he was transferred to Ancona. (Source: Studio Notarile Bucci-Olmi)
The firm is well-established in and around Ancona and this could make the repercussions of the data breach more serious.
Ethics note
It was decided not to publish any stolen material, even if censored. The Bucci-Olmi Notary Studio will have to cope with a crisis that is serious enough in itself, and the publication of material, even if anonymised, would not help the situation. Readers will still be able to refer to what is reported in the article and possibly to faithful textual reconstructions of what was published by the hackers, which, however, will not contain any real data.
Considerations on exfiltrated files
As listed in the updates section, the Everest group published the exfiltrated files to the Studio Notarile Bucci Olmi, and the following are some considerations. The archive, as explained earlier, refers to several files in RAR format, each containing a portion of the exfiltrated files. This means that the Everest collective attempted to maximise the effectiveness of the attack by making the files available in multiple archives, easily acquired from the Internet. It would therefore not be necessary to download the entire 400Gb to get hold of the files of the Bucci-Olmi Notary Firm.
Each archive may contain a multitude of files and documents including:
- Declarations in lieu of affidavit
- Contracts of various kinds (sale/purchase/rental)
- Company acts
- Wills
Please note that each act includes the personal data of individuals. Of course, it is easy to assume that the archives also contain documents such as these:
- Land registry searches (with personal and property data)
- Reports from mortgage inspections
- Visits for companies made to the Chamber of Commerce
- Tax payment receipts
- Email messages with public offices and customers
Conclusions
Below are updates on the data breach, but before closing the article, it is good to pause for a second to comment on what happened. On 20 November 2020, EuroNotaries, a famous notary association founded by Studio Genghini & Associati, held an online event to train and raise awareness among notaries on cybersecurity. It was an important event, which was attended by many notaries, but only the younger ones asked questions about increasing cybersecurity. Over time, participation in these webinars would confirm what was perceived at the time.
Cybersecurity is crucial for notaries, accountants, and lawyers, because the data in their possession are of the highest level of sensitivity and importance. he Bucci-Olmi data breach is just one of many that have affected the notary category. It is necessary that these professional orders take the cybersecurity part very seriously, otherwise the classic dyscrasia between relevance of processing and insufficiency of technical-organisational measures for cybersecurity will arise.
Abuse reported
The data breach was serious and it was possible to report the abuse directly to the administrators of the platform used by Everest to publish the files. Thus, at 15:32 on 26/07/2024, they clicked on ‘Abuse’ and described the problem in a message. The technical staff stopped publishing the files shortly afterwards, at around 16:13. The file links were all broken and the folder now appears empty. Mind you, this probably won’t stop Everest publishing the files, which will surely adopt another channel or simply another account, but hopefully it will help slow down the spread.
Updates
21/07/2024-11:02-no publication of data yet
To date, the Everest collective has not yet published the data of the data breach. The collective had given the Bucci-Olmi Notary Firm 3 days to make contact with them and this deadline expired on 20/07/2024.
23/07/2024-09:34-no publication of data yet
The silence from the Everest group continues, which has not yet published the files of the 400GB exfiltrated to the Bucci-Olmi Notary Studio.
25/07/2024-11:25-no publication of data yet
The Everest Group has not yet published the files exfiltrated to the Bucci-Olmi Notary Firm. Monitoring activities will continue.
26/07/2024-15:00-Publication of exfiltrated files on the Internet
The Everest collective published the files of the Bucci-Olmi notary firm outside the TOR network. The Ransomfeed platform updated this with the news at 15:04 on 26/07/2024.
Everest published part of the 400Gb: these are RAR archives organised as follows:
| Archive | MD5 | Date | Size (in GB) |
|---|---|---|---|
| 1.rar | ??? | ||
| 2.rar | ??? | ||
| 3.rar | ??? | ||
| 4.rar | ??? | ||
| 5.rar | 9a3d9e217890fe76cdc46ac634830111 | 2024-07-24 16:06:23 | 42,7 |
| 6.rar | ad7f84271e079c98d65ae685912e3e45 | 2024-07-24 16:42:48 | 2,7 |
| 7.rar | 86d5709e831acbab2a64c6b64c925e5d | 2024-07-24 16:59:14 | 7,8 |
| 8.rar | 3e3868eab9c9043c70a5d6c587071d1e | 2024-07-24 23:54:21 | 97,4 |
| 9.rar | 93a1cf46b8b557bb7b681cf32375a99f | 2024-07-26 03:37:59 | 151,2 |
| TOTAL | 301,8 |
Please note that the first 4 archives (1.rar, 2.rar, 3.rar, 4.rar) have not been uploaded at the moment.
It is very important to note that Everest created the folder containing the files on 15/07/2024 18:03:09, i.e. a few days before the public claim (published on 17/07/2024).
Let us now turn to some considerations about published RAR archives: the size suggests that each file is ‘self-consistent’. Generally, in fact, multi-part archives are composed of individual numbered files of the same size (with the exception of the last one). What immediately jumps out at you, however, is that these individual files are all different sizes and the fear is that they are ‘self-consistent’ files containing part of the published material. This way of publishing data makes them easily accessible to anyone with an internet connection.
