8M UK healthcare worker records, including IDs and financial data, exposed due to a misconfigured staff management database from UK-based software firm Logezy.
Cybersecurity researcher at vpnMentor and co-founder of Security Discovery, Jeremiah Fowler, recently uncovered a major data leak involving a UK-based software company, Logezy, which specializes in employee data management.
According to Fowler’s investigation, shared with Hackread.com, the exposed data revealed nearly 8 million records, totaling 1.1 TB of data (7,975,438 files), stored in a database that lacked both password protection and encryption.
The exposed database contained sensitive information, including work authorization documents, national insurance numbers, certificates, electronic signatures, timesheets, user images, and government-issued identification documents.
“The database also contained 656 directory entries indicating different companies, most of which were healthcare providers, recruiting agencies, or temporary employment services, Fowler noted in his report.
Fowler promptly notified Logezy, and access to the database was subsequently restricted. However, questions remain about how long the database was publicly accessible, whether unauthorized individuals accessed the data, and if the database was managed directly by Logezy or a third-party contractor. A forensic audit could potentially answer these questions.
Derby, England-based firm Logezy’s Staff Management Software is designed to streamline the management of both permanent and temporary staff, offering features for worker deployment, payments, billing, and employee data management. It is worth noting that while Logezy claims to serve various industries, the exposed records primarily pertained to the healthcare sector and healthcare workers.
This data exposure poses substantial risks, particularly within the healthcare industry, which has been increasingly targeted by cyberattacks. The compromised information could be exploited for malicious purposes, including identity theft, where criminals might use the stolen data to assume the identities of healthcare workers for financial gain.
The exposed credentials and electronic signatures could also facilitate unauthorized access to internal healthcare systems, possibly exposing sensitive patient data. “It is no secret that healthcare data is a valuable commodity to cyber criminals, but so is the PII of those who work in the healthcare industry,” said Fowler.
Furthermore, the personal information could be used in social engineering attacks, where cybercriminals manipulate individuals to divulge confidential information or grant system access. It also raises the risk of ransomware attacks, which can severely disrupt healthcare operations.
Fowler does not imply any wrongdoing by Logezy and advises individuals who suspect their information may have been compromised to monitor their accounts and credit reports for any signs of suspicious activity.
He also emphasizes the heightened risks associated with centralized data storage, particularly for companies handling data from multiple organizations. Segmenting data into separate, secure storage environments with advanced access control mechanisms and encryption to mitigate the impact of data leaks may be a better strategy to prevent the risks caused by such unexpected data exposures, Fowler concludes.
