Health-related staff management firm Logezy was recently discovered by ethical hacker Jeremiah Fowler to have left nearly 8 million of its records exposed in a database with neither password protection nor encryption.
The files contained both structured and unstructured data, from PDF files of work authorization documents to images of drivers’ licenses.
Logezy is a software company that facilitates employee data management, dealing with such things as compliance and payroll. As such, it frequently ingests sensitive documentation, and the contents of the database ran the gamut: national insurance numbers, electronic signatures, timesheets, photographs of employees, government-issued ID documents, and various certificates.
Fowler noted that while the company claims to serve across all sectors, the specific cross-section of data he came across when investigating pertained solely to healthcare and healthcare workers. As an ethical hacker, Fowler immediately reported the issue to Logezy – “I do not download the data I discover” – and the company removed the exposed database completely from public access shortly thereafter.
Noting that he implies “no wrongdoing by Logezy, or its employees, agents, contractors, affiliates, and/or related entities,” Fowler offered details of his findings, along with recommendations for best practices to prevent such an exposure in the future.
Potential Outstanding Risks
While the exposed database was discovered, reported, and taken offline upon notification, it is unclear if Fowler was the first to discover it. While this won’t be determinable until an internal forensic audit has been performed, the risks of the data being compromised prior to Fowler’s discovery include:
- Ransomware attacks: While the database is no longer accessible, data exfiltrated from it could be used in ransomware attacks against Logezy’s clients. Healthcare groups face acute pressure to recapture stolen data as it puts the protected health information (PHI) of their patients at risk and carries severe HIPAA compliance penalties. Research by Claroty indicates that the majority of healthcare organizations have paid at least $500k in ransom payments following a cyberattack.
- Social engineering attacks: It has been cited that nine out of ten phishing attacks employ some form of social engineering. Using personal data artifacts like the ones discovered in the database, attackers can execute phishing attacks, BEC campaigns, and other forms of social engineering on Logezy’s corporate clients and on the individual data owners themselves.
- Account takeover: As noted by Fowler, “some documents included the names of supervisors or administrators.” Weaponizing this information, such as in spear phishing attacks, could lead to credential theft and account takeover, which could “increase the hypothetical risks of criminals attempting to steal sensitive patient data or access other sensitive internal resources.”
It is also unknown if the database itself was managed by third parties or if Logezy managed it in-house. If it was managed by a supply chain partner, the possibility of compromise is likely as nearly two-thirds of all organizations have been breached by a third party, per a 2024 study by Miratech. More data privacy frameworks like PCI DSS and DORA are placing responsibility for third-party attacks on the primary entity that contracted them, and it is likely that Logezy would be held accountable even if the oversight was made by an external entity.
Database Security Recommendations
Fowler advocated against providers like Logezy “putting all their eggs in one basket” when it comes to storing the sensitive information of their clients. He advised that companies collecting records from multiple business sources “segment these records in separate cloud storage environments to enhance security, prevent unauthorized access, and minimize the impact of potential data breaches.”
While Logezy had each business’s file in separate folders, those folders remained unprotected by either passwords or encryption. Fowler noted the importance of assigning separate access controls to each unique database, implementing structured segmentation, and encrypting the contents inside.
An Educational Experience
As Fowler states, “I do not claim that any internal, customer, or user data was ever at imminent risk.” The hypothetical risks presented in his report represent potential threats and are intended “exclusively for educational purposes.”
The lesson for providers (healthcare or otherwise) storing sensitive client information is clear. Without proper segmentation, access controls, and encryption, valuable customer data is never fully secure.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.