A tax credit consulting firm seems to have exposed the personal data of thousands of Americans after leaving a slew of sensitive documents unprotected online. The breach was discovered by cybersecurity researcher Jeremiah Fowler, who reported his findings to vpnMentor.
As outlined by Fowler, the unencrypted, non-password-protected database contained 245,949 records, which translated to nearly 287 GB of data. Among the files included: addresses, Social Security numbers, work history, and even DD214 U.S. Department of Defense discharge forms.
Available to “Anyone With an Internet Connection”
“In a limited sampling of the exposed documents, I saw files that detailed PII such as names, physical addresses, email addresses, DOB, and SSN in plain text,” Fowler wrote. He also identified driver’s licenses, identification cards, and sensitive tax credit forms. Many of the documents, he said, were “available to anyone with an internet connection and a web browser.”
The information appears to be related to Rockerbox, a Dallas-based consultancy firm that helps entities reclaim employer tax credits like the Work Opportunity Tax Credit (WOTC) and the Employee Retention Credit (ERTC). The firm has customers from diverse sectors like healthcare, manufacturing, trucking, and hospitality.
Fowler noted that while Rockerbox was never confirmed as the owner of the database, “information contained in the internal files indicated the records appeared to belong” to the company. Despite reaching out with a responsible disclosure notice, he received no reply. The database was taken offline several days later.
Ongoing Issues With Misconfigured Cloud Storage
The event is the latest example of ongoing issues with misconfigured cloud storage, particularly where sensitive personal data is involved. Fowler said although some PDFs were password-protected, their file names and URLs revealed the names of individuals and businesses, document types, and perhaps even the password.
“It is theoretically possible that the numeric part of the file name could have contained the password to unlock the individual file,” he said, while clarifying he never attempted to access them. “As an ethical security researcher, I never bypass authentication credentials or test assumed passwords.”
The breach is troubling because of the nature of the data exposed. SSNs, dates of birth, and employment records can be a goldmine for identity thieves. Fowler stressed that he was not suggesting that Rockerbox’s clients were at risk, but he outlined possible attack scenarios where such data could be misused.
“In such scenarios, criminals could theoretically obtain sufficient personal information to impersonate individuals and attempt to obtain fraudulent credit accounts, apply for loans, or even file false tax returns,” he said.
Identity Theft on the Rise
His caution is not without precedent. According to Experian, the FTC logged over 1.1 million identity theft complaints in 2024, tied to more than $12.7 billion in losses. Over 2.6 million fraud cases were reported in the same period.
Fowler recommended that affected individuals monitor their financial accounts and consider placing fraud alerts or credit freezes with major credit bureaus. “The Federal Trade Commission (FTC) offers a valuable resource for reporting and recovery by visiting IdentityTheft.gov,” he said.
Better Cloud Hygiene is Key
For businesses, the message is that better cloud hygiene is crucial. “Never rely on security through obscurity,” Fowler warned. “Web-accessible files that contain identifiable information in the file path or name could potentially expose sensitive data through browser histories, logs, analytics tools, or even copy-pasted links.”
He advised companies to adopt zero-trust policies, use encryption for sensitive files, and audit access logs regularly. “Ensure that cloud storage configurations and firewall settings are accurate and up to date.”
Fowler also said the firm Rockerbox.tech, which operates under Screen Technologies LLC, is not associated with Rockerbox.com, a marketing analytics company acquired by DoubleVerify in 2025. Despite the shared name, the two companies operate in different industries.
He is not asserting any wrongdoing by Rockerbox or its affiliates. “The hypothetical data-risk scenarios I have presented in this report are strictly and exclusively intended for educational purposes.”
Fowler’s goal, as always, is awareness. “I publish my findings to raise awareness of issues of data security and privacy,” he added. “My aim is to encourage organizations to proactively implement measures to safeguard sensitive information against unauthorized access.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.