Nearly 32 million documents, including invoices, contracts, and agreements, were exposed online by ServiceBridge, a global field service management provider.
Cybersecurity researcher Jeremiah Fowler made the discovery, reporting the unprotected database to WebsitePlanet. The database contained 31.5 million records, including sensitive business and personal information from companies around the world.
The exposed database, which was not password-protected, contained 31,524,107 files with a total size of 2.68 terabytes. The files, primarily in PDF and HTML formats, were organized by year and month, dating back to 2012. The documents included contracts, work orders, invoices, proposals, and other business-related records from a diverse range of industries. The exposure of such documents raises significant concerns regarding security and privacy.
Fowler identified that the database belonged to ServiceBridge, a field service management platform owned by GPS Insight. ServiceBridge provides software for job dispatching, scheduling, and work order management across multiple industries. Following responsible disclosure, the database was quickly secured from public access. However, it remains unclear how long the database was exposed or if others accessed the sensitive information.
The leaked documents included personal identifiable information (PII) such as names, addresses, email addresses, phone numbers, and partial credit card data. Some files even contained HIPAA patient consent forms and medical equipment agreements, highlighting the potential risks to both privacy and physical security. A wide range of customers appeared in the documents, from private homeowners and schools to well-known chain restaurants, Las Vegas casinos, and medical providers.
This kind of exposure leaves the door wide open for invoice fraud. Invoices and internal business documents can be exploited by criminals using insider knowledge to defraud businesses and customers. In 2023, it was reported that 52% of large companies experienced some form of payment fraud, and small to medium-sized businesses are particularly vulnerable to these scams.
This incident stresses the importance of robust data security measures. When applications handle sensitive documents, it is of utmost importance that they are stored securely, ideally with encryption and access controls. Misconfigurations that allow public access to databases can result in massive data leaks, as seen in this case.
While Fowler says that there is no evidence of wrongdoing or negligence by ServiceBridge or GPS Insight, the incident is a critical reminder of the risks of inadequate data protection. The timeline of the exposure and whether other parties accessed the data remains unknown.
Ethical cybersecurity researchers like Fowler aim to raise awareness of such vulnerabilities and advocate for best practices in data security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.