31.5M invoices, contracts, patient consent forms, and more exposed to the internet

Exclusive Nearly 2.7 TB of sensitive data — 31.5 million invoices, contracts, HIPAA patient consent forms, and other business documents regarding numerous companies across industries — has been exposed to the public internet in a non-password protected database for an unknown amount of time.

"Once I started seeing invoices, it was pretty clear what the risks were here, including invoice fraud," said information security researcher Jeremiah Fowler, who spotted the exposed files and discussed them with The Register in an exclusive interview. "Ninety-five percent of cyber-crime is financially based. At the end of the day, criminals want money. Who has money? Businesses."

According to Fowler, the database turned out to belong to ServiceBridge, a software-as-a-service provider that can be used by companies – think pest control, maintenance, and installers – to handle work orders from customers, manage employees out in the field, generate invoices, take payments, and more.

In a write-up shared earlier with The Register – and to be published here today – Fowler said some of the millions of exposed documents dated back to 2012, and included business contracts and proposals, work orders, inspection forms, agreements, and other records including those mentioned above. The documents were in PDF and HTML formats, and organized in folders by year and month. 

They know the names of installers you use. It really is the next level of risk

According to Fowler's report, the files pertained to what appeared to be ServiceBridge clients ranging from "private homeowners, schools, and religious institutions, to well-known chain restaurants, Las Vegas casinos, medical providers, and many others."

"In the limited sampling of documents I analyzed, the majority appeared to be US-based, but I also saw businesses and customers from Canada, the UK, and numerous European countries," he wrote.

The data, we're told, is a huge collection of personal information, including at times people's contact details, partial credit card numbers, names of patients on medical equipment agreements, and site audit reports with photographs of the inside and outside of properties.

Upon notifying the Chicago-based firm, which was bought by Arizona fleet management biz GPS Insight in 2020, of the mishap, the database was closed off to the public, says Fowler. He said he never heard back from ServiceBridge about the exposure. We've asked the biz for a response.

Anyone who discovered the document stash potentially could have used them for targeted phishing and fraud.

One of the files contained a work order for a customer showing partial payment information with half of the balance due, along with the customer's name, physical address, phone numbers, and email address.

"It said they have paid 50 percent, and had a balance due of about $1,000," Fowler said. "So hypothetically all a criminal would have to do is contact the customer, using the same invoice as a template and say, 'hey, we've updated our billing information. Click on this link to pay the balance.'"

All of the information contained in the work order is insider information, Fowler added. "It's just information that the service provider would know." 

So a criminal could theoretically trick the customer into paying the balance to the fraudster's bank account, using the updated details, "and then you've just lost $1,000," he said. "That would be a man-in-the-middle attack."

Another exposed file displayed the inspection of an Internet-of-Things device with a detailed description of the system's model number, firmware version, battery type, and other details that could help criminals to identify security vulnerabilities to exploit.

Plus the sheer number of invoices contained in the database would make it very easy for fraudsters using social engineering and phishing techniques.

"Because people are so gullible with even the most obvious scams, imagine if someone has insider information," Fowler said.

"They have templates that you've already seen," he added referring to the piles of invoices, letters, and forms in the database that crooks could have used to make forgeries for fraud. "They know the names of installers you use. It really is the next level of risk."

• After nearly 3B personal records leak online, Florida data broker confirms it was ransacked by cyber-thieves
• US sues Georgia Tech over alleged cybersecurity failings as a Pentagon contractor
• Ransomware batters critical industries, but takedowns hint at relief
• Enzo Biochem ordered to cough up $4.5 million over lousy security that led to ransomware disaster

That risk applies to both the businesses — which can suffer serious reputational damage as well as regulatory fines if they are involved in a security breach that results in stolen invoices and other records containing personal data — and the customers, whose privacy has now been compromised. 

The takeaway for ServiceBridge customers at least, according to Fowler, is "trust nothing on the internet. Verify anything feels suspicious. Check it out, pick up the phone. Emails, the internet, all of that is so easy to manipulate."

Organizations also need to do a better job protecting their clients, he added. Even in a case like this where a researcher, not a criminal, finds an open database, companies should alert their customers.

"You have to let your customers know, and the reason for that is so they are aware and they can look out for suspicious behavior," Fowler said. "If they're not aware, they are sitting ducks and really blind to the fact that someone may be armed with insider information that the customer has no reason to doubt."

Fowler has previously discovered and flagged up unprotected online databases including those used by a taxi software maker, the Irish National Police, and a fundraising platform for non-profits. ®