3 min Security

Huge database of sensitive info exposed to the internet

Insight: Security

Huge database of sensitive info exposed to the internet

Some 31.5 million invoices, purchase orders, contracts, patient forms, and other sensitive documents have been available online in an unencrypted database. The 2.7 TB of data came from SaaS provider ServiceBridge and dates back to 2012 in some cases.

Infosec specialist Jeremiah Fowler discovered the large amount of sensitive documentation, which he reports on WebSitePlanet. He argues that such an open database (i.e., unshielded by either the owner or administrator of the data) is a boon to criminals who can use the data for phishing campaigns, scams, frauds, and man-in-the-middle attacks.

Fowler reportedly brought the database to ServiceBridge’s attention, which promptly put the database under lock and key. However, no further response was forthcoming.

European companies also pop up

It is unclear how long the database had been open to the internet, whether others stole information from it and who managed it, either ServiceBridge or a third party. Although most of the data came from parties in the United States, Fowler said there were also documents from Canadian and European companies among them. He did not specify which countries in Europe these are from.

The information consisted of PDF and HTML documents neatly sorted into folders by year and month. In an interview with The Register, Fowler says the list of customers included homeowners and schools, religious institutions, casinos, health care providers, pest control companies and restaurants.

Besides the aforementioned document types, it included work orders, inspection forms, and partial credit card information. In some cases, even home addresses were listed, along with photos of the exterior and interior of parcels and sometimes access codes to enter such properties.

Counterfeiting invoices

ServiceBridge provides software for field service management, work scheduling, contracts, work orders, and the like for field service employees. As an example of potential abuse, Fowler mentions a partially paid invoice. This had all of the customer’s important information on it. A scammer can easily recreate the invoice and ask the customer to pay the rest of the invoice amount.

ServiceBridge was acquired in 2020 by GPS Insight, which specializes in fleet management and GPS tracking systems. Although there were documents in the database with that company’s logo, they did not involve fleet management. Fowler says he does not want to imply that ServcieBridge acted negligently. Nor does he know if any data was actually captured. However, he does urge customers of the company to be extra vigilant. “Trust nothing.”

Also read: Ticketmaster incident shows: attackers no longer break in, but log in