Large number of businesses exposed in 32 million document leak from ServiceBridge


Security researcher Jeremiah Fowler has discovered a massive exposed data chest belonging to ServiceBridge, a cloud-based field service management platform. The exposed data contains contracts, work orders, invoices, proposals, inspections, agreements, partial credit card numbers, and even HIPAA consent forms dated back to 2012.

ServiceBridge supports growth for many field service businesses, such as pool services, pest control, handymen, and others. It provides a platform for various activities such as GPS tracking, work orders, invoicing, and payments.

Fowler discovered an unprotected database containing 31,524,107 files, totaling 2.68TB in size. The documents were organized in folders by year and month and in the formats PDF and HTM (designated for display on web browsers).

ADVERTISEMENT

The documents span various companies from different industries in the US, Canada, UK, and numerous other European countries and date back as far as 2012.

“Exposed business records and personal data can potentially raise serious security and privacy concerns,” Fowler said in a report on WebsitePlanet.

Some documents displayed private information, including names, physical addresses, email addresses, phone numbers, and partial credit card data.

“I also saw HIPAA patient consent forms and medical equipment agreements that identified individuals as patients, listing their first and last names. Documents marked as “site audit reports” showed images of the inside and outside of properties or businesses,” the researcher noted.

The documents belonged to various individuals and organizations, including private homeowners, schools, religious institutions, well-known chain restaurants, Las Vegas casinos, medical providers, and many others.

“Several documents even included gate codes or other access information that could pose a potential physical security risk to property or individuals.”

The researcher sent a responsible disclosure notice to the company, and the database disappeared shortly after. However, Fowler did not receive any acknowledgment, and it’s unclear for how long the database was exposed, whether it was accessed by any other unauthorized parties, and whether its manager was ServiceBride or a third party.

Fowler warns that exposed financial and other internal information can potentially serve cybercriminals as templates for spearphishing campaigns or other fraudulent activities. In 2022, US businesses lost an average of $300,000 per year due to invoice schemes and payment fraud.

ADVERTISEMENT