Millions of data files exposed in massive security breach — see if your business is affected
The documents include partial credit card numbers, invoices, and HIPAA consent forms
Security researcher Jeremiah Fowler has uncovered a massive database belonging to field service management platform ServiceBridge was left freely available online.
In total, the database numbered 31,524,107 files, dated back to 2012 and primarily belonging to companies from the US, UK, and Canada, Fowler shared in a report with Cybernews.
The documents, which were not password protected, and did not require security authorization, included sensitive and confidential information such as contracts, invoices, inspections, partial credit card numbers, and HIPAA consent forms - as well as personally identifiable information such as full names, addresses, and phone numbers.
Invoice fraud
Some files, labelled ‘site audit reports’, contained images of the interior and exterior of properties and businesses, as well as gate access codes and other access material. This poses a serious physical security risk for those exposed, some of whom were private homeowners, as well as large chain restaurants, casinos, and medical providers to name a few.
The companies affected by this leak are particularly vulnerable to spear phishing attacks and invoice fraud, due to the specific details available. This type of fraud is on the rise as it is, with 31% of UK businesses falling victim to invoice fraud over the last year. Fowler outlined the dangers in his report,
“The potential risks of invoice fraud are a double-edged sword that affects both business-to-customer (B2C) and business-to-business (B2B) transactions” He said. “Exposed invoices and internal business documents can potentially serve as a template for criminals to target victims using internal information that only the business and the customer would know.
The database has since disappeared after a disclosure notice was sent to ServiceBridge, and it’s not clear how long the information was available, or who accessed it.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
However the incident demonstrates the need for effective security audits and access controls. All companies who store and handle sensitive information have a responsibility to their clients to protect data - we’ve featured the best encryption software to keep your information secure.
More from TechRadar Pro
- Take a look at our choices for the best accounting software for small businesses
- Your own customers might be your biggest source of fraud
- Check out the best invoicing apps
Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.