Law firm ran client system with shared credential, IT worker says
A pseudonymous IT worker said an unnamed law firm used one shared password to impersonate staff and clients across a 15-year-old web system.
By Dominic Okoye · Staff Writer
· 3 min read
An unnamed law firm allowed staff to access accounts across its client system using a shared administrator credential, according to an account published by the PWNED security column. The practice allegedly let employees impersonate other staff and clients, including access to personal data and health records, while management resisted removing the capability.
The account came from a reader identified under the pseudonym Manny, who said he joined the firm several years ago and effectively became its one-person IT department. The firm was not named, and the column did not disclose its location, client count, regulator, or whether any breach or enforcement action followed.
According to Manny, the firm’s data and applications were concentrated in a single large browser-based interface. The system separated work by client type, with areas for matters such as personal injury cases and travel refund claims. That centralization made the shared credential more consequential: one login mechanism could reach multiple categories of sensitive client information.
Manny said he found that a single password could be used to sign in as any user if the person’s email address was known. The access applied to both internal staff and clients, he said. In practice, that meant staff could enter a colleague’s account to move work when someone was absent, or enter a client account to complete missing fields on the client’s behalf.
That is a control failure by any normal enterprise standard. Shared privileged credentials remove individual accountability, make audit logs less useful and increase the blast radius if the password is leaked, guessed or reused elsewhere. For a law firm handling medical and other personal information, the exposure is sharper because legal case files often combine identity data, financial details, correspondence and health records.
Manny said he raised the issue as a serious security risk, but was told the password was the administrator password and that it was commonly used. The firm’s position, as described by Manny, was to leave the arrangement in place.
The age of the system was also part of the problem. Manny described the platform as 15 years old and said it needed replacement. He was later asked to build a new system, according to the account. When management wanted the same kind of hidden access preserved in the replacement, he refused to add it.
The workaround was not better. Manny said the firm responded by promoting every user to system administrator status and continued operating as before. The column did not say whether the replacement system entered production, whether the old system was retired, or whether the firm later adopted role-based access controls, multifactor authentication, privileged access management or client account separation.
The episode is a familiar pattern in small and mid-sized professional services firms: a bespoke or aging line-of-business system becomes the operational center of the company, then convenience hardens into policy. Legal practices are especially exposed because they depend on fast file access across teams, but also hold data that can create regulatory, litigation and reputational risk if mishandled.
No breach was reported in the account. That is luck, not a compensating control. The notable fact is that the firm allegedly treated impersonation access as routine workflow, then expanded administrative rights when an IT worker declined to rebuild the same weakness into a new system.
This story draws on original reporting from The Register.