An unsecured database exposed almost 32 million invoices, contracts, HIPAA patient consent forms, and other documents amounting to almost 2.7 TB of data from several companies across various industries. The database belongs to ServiceBridge, a software-as-a-service provider used by various companies to handle work orders, manage employees in the field, take payments, generate invoices, and more.
Information security researcher Jeremiah Fowler discovered the database. In his report, Fowler shared that some records found in the database go back as far as 2012, and most are in PDF and HTML formats, organized in folders by years and months.
It’s not known how long the database was exposed and publicly accessible or if anyone other than Fowler has accessed the unprotected documents. The database was promptly secured when ServiceBridge was informed of the breach, although Fowler reports he didn’t hear back from the company about the exposure.
The files themselves seem to belong to ServiceBridge clients, including, but not limited to, “private homeowners, schools, and religious institutions, to well-known chain restaurants, Las Vegas casinos, medical providers, and many others.” Most of the analysed documents seem US-based, but businesses and customers from the UK, Canada, and multiple European countries were also caught in the leak.
Many of the exposed documents seem to contain information that wasn’t intended to be public, either. Some files contain personally identifiable information (PII), including names, physical addresses, email addresses, phone numbers, partial credit card data, HIPAA patient consent forms, and medical equipment agreements that identify individuals as patients, listing their first and last names.
Other documents, marked as “site audit reports” showed images of the inside and outside of properties and businesses. Several documents also included gate codes or other access information that can pose a “potential physical security risk to property or individuals.”
The fact that such a large database was unprotected on the Internet for an unknown period of time poses multiple risks to both businesses and individuals involved. The information available in the database makes anything from man-in-the-middle attacks to invoice and identity fraud possible. Although Fowler clarified that he isn’t implying that ServiceBridge users or their end customers are at risk of invoice or other types of fraud, he did warn users to remain vigilant.
In the News: Uber slapped with €290 million fine for sending data to US servers