Serious Security Gap Identified in Spain's Judicial Communications System

Rights International Spain has raised its concerns with the UN experts on privacy and judicial independence over a failure in the Ministry of Justice's electronic communications system that could have allowed any user to access any judicial file.
At the end of July, right before the summer recess, a group of lawyers detected a security hole in LEXNET, the telematic system used by the Ministry of Justice to exchange case information and documents between the courts, lawyers, prosecutors and other judicial actors (such as briefs, judgments and other resolutions, etc.).

System down

Since LEXNET started operating, security as well as separation of powers issues have been continuously raised and criticized by numerous legal professionals and judge associations.

In particular, the vulnerability detected on July 27 allowed any user to have access to any case or file in the system, to download, delete or modify the files of any other user (files including private and confidential information such as identification documents, bank and financial details, medical records, evidence, etc).

Five hours after the vulnerability was identified, the Ministry of Justice closed the service. One hour after that, it reported that the problem had been solved and claimed that there had been no improper access.

On Friday, July 28, the Ministry announced that the system would be closed again from 4:30pm until 8:00am Monday, July 31, due to technical maintenance tasks. The Minister of Justice summoned a crisis cabinet to be held on Sunday, July 30.

Transparency issues

Following the meeting, the Ministry said it would open an internal investigation. In addition, the General Council of the Judiciary claimed it would investigate whether there had been any breaches of the data protection legislation, an investigation that requires the cooperation of the Ministry of Justice.

However, given the lack of transparency (only the proprietor has access, and any independent investigation will be able to rely only on what the proprietor decides to disclose), external evaluators will not be able to assess what has been done; for how long the vulnerability existed; who had unauthorized access, etc.

Only the Ministry of Justice (i.e., the government) can truly confirm what happened, and the magnitude and consequences of the data security breach.

UN asked to speak up

According to experts, although the specific vulnerability or hole may have been fixed, this does not prevent other potential major security holes or flaws from happening in the future. During the entire day (July 31), LEXNET kept experiencing problems, for example, cross-notifications (sent to a lawyer when they were meant to be received by other professionals/colleagues), which seem to indicate serious root problems.

Given that privacy rights may have been violated, RIS hopes that the relevant UN experts will address an appeal to the Spanish authorities.