Approximately 31.5 million invoices, purchase orders, contracts, patient forms, and other sensitive documents were exposed online in an unencrypted database. The 2.7TB of data was provided by SaaS provider ServiceBridge, and some of the data dates back to 2012.
Information security expert Jeremiah Fowler reports that he found a ton of classified documents on WebSitePlanet. He says that such open databases (i.e., those that are not secured by the data owners or custodians) are: Benefit Criminals can use that data for phishing, fraud and other fraudulent activities. Man-in-the-middle attacks, etc.
Fowler reportedly reported the database to ServiceBridge, which immediately took strict control over it, but has not responded further.
European companies also appear
It’s unclear how long the database was exposed on the internet, whether others have stolen information from it, and who maintains it — ServiceBridge or a third party. Most of the data came from U.S. companies, but some documents were from companies in Canada and Europe, Fowler said. He declined to say which European countries those documents came from.
The information consisted of PDF and HTML documents neatly categorized into folders by year and month. In an interview with The Register, Fowler said his client list included homeowners, schools, religious institutions, casinos, health care providers, pest control companies and restaurants.
In addition to the document types mentioned above, the documents also included work orders, inspection forms, partial credit card information, and in some cases, home addresses, exterior and interior photographs of the lots, and even access codes to enter such properties.
Falsifying invoices
ServiceBridge provides software for field service employees, including field service management, work scheduling, contracts and work orders. Fowler cites partially paid invoices, which contain all of a customer’s vital information, as an example of potential fraud. Fraudsters can easily re-create the invoice and ask the customer to pay the remaining amount.
ServiceBridge was acquired in 2020 by GPS Insight, which specializes in fleet management and GPS tracking systems. There were documents in the database with the company’s logo, but they weren’t related to fleet management. Fowler said he doesn’t mean to suggest that ServcieBridge was negligent, nor does he know if any data was actually taken. But he urges the company’s customers to be extra vigilant. “I don’t believe in anything.”
Read also: Ticketmaster shows us that attackers log in, not break in
