🟠 High | Source: The Register — Security
A law firm was found to be using a single shared administrator password across its systems, meaning anyone with that credential could access all client data and impersonate any user. This represents a fundamental failure of identity and access management, exposing highly sensitive legal and client information to insider threats and external attackers alike. The incident highlights how credential hygiene failures can render all other security controls ineffective.
Security Architect’s Take: Audit your organisation and any third-party legal or professional services partners for shared administrative credentials immediately; enforce role-based access control, individual named accounts, MFA, and privileged access management (PAM) tooling to ensure every administrative action is attributable to a specific identity.
Original advisory: Law firm insisted on one password to rule them all