A major database misconfiguration exposed millions of sensitive records belonging to ServiceBridge customers. Learn about the risks and consequences of this data exposure and how businesses can protect themselves from similar incidents.
Cybersecurity researcher Jeremiah Fowler has uncovered a major cloud server misconfiguration affecting ServiceBridge, a popular field service management platform based out of Chicago, IL, United States.
Fowler’s investigation revealed a database containing over 31 million records or 2.68 TB of data exposed online, revealing sensitive information belonging to ServiceBridge’s customers.
What’s worse, the database was available for public access without any password or security authentication. The exposed data included sensitive information such as names, addresses, email addresses, phone numbers, and even partial credit card data. Additionally, HIPAA patient consent forms and medical equipment agreements were found, revealing personal health information.
The documents dated back to 2012 and belonged to a diverse range of businesses, including private homeowners, schools, religious institutions, chain restaurants, LA casinos, medical providers, and more. The files, around 31,524,107 in number, were in PDF and.htm formats and included contracts, work orders, invoices, proposals, inspections, and completion agreements.
“In the limited sampling of documents I analyzed, the majority appeared to be US-based, but I also saw businesses and customers from Canada, the UK, and numerous European countries,” Fowler noted in his report shared with Hackread.com ahead of publication on Monday.
Upon notifying the company, the database was restricted from public access. However, it is unclear how long it remained exposed or if anyone else gained access. It is also unclear whether it was managed by ServiceBridge or a third party. It is worth noting that some files were marked with a GPS Insight logo, but no fleet management documents were found.
The exposure raises security and privacy concerns as potential risks include invoice fraud that affects both business-to-customer (B2C) and business-to-business (B2B) transactions and can lead to significant losses for businesses.
As per a 2022 report, an average US business lost $300,000 annually due to invoice schemes and payment fraud, while 52% of large companies experienced such scams in 2023. Exposed personal information could be used for identity theft, leading to financial loss and reputational damage.
Fowler found “site audit reports” offering images of internal and external premises of the businesses/properties. Additionally, the database exposed documents that could potentially compromise physical security, such as gate codes and access information for properties and businesses.
The incident highlights the importance of robust data security measures, including encryption, access controls, and regular security audits. ServiceBridge, as a provider of sensitive business information, has a responsibility to ensure the protection of its customers’ data.
RELATED TOPICS
- Data Leak Exposes Business Leaders and Top Celebrity Data
- Unsecured Database Exposed 39 Million Sensitive Legal Records
- Millions of US Voter Data Exposed in 13 Misconfigured Databases
- Mexico’s Largest ERP Provider ClickBalance Exposes 769M Records
- Database Mess: Aussie Food Giant Patties Foods Leak Trove of Data