More than a million files with sensitive data, from employee card templates to on-site operational assessments, have been left passwordless online, putting multiple energy companies at risk.
In November 2023, Cybernews researchers discovered an openly accessible storage with over 1.5 million sensitive files. The files contained personal employee information and operational data from multiple energy companies.
The leaked data includes:
- Employee names
- Addresses
- Phone numbers
- Dates of birth
- Social Security numbers (SSN)
- Physical examination and drug test forms
- Scanned documents
- Employee certificates
- Templates for employee cards
- Employee resumes with photos
- On-site assessment forms with photos of critical infrastructure
The research team has been able to attribute the leak to WorldLive LLC, a Louisiana-based company that specializes in tracking employee training, managing assets, and creating maintenance schedules for energy companies.
Some of the examined files were connected to ExxonMobil and Guyana Revenue Authority, JP Oil Holdings, Broussard Brothers, and Noble Energy, acquired by Chevron Corporation. However, given the scope of the leak, more companies could be affected.
The leak was caused by missing authentication on Azure Cloud Storage Blob – a cloud-based service from Microsoft Azure that allows users to store and manage large amounts of unstructured data such as text, binary data, and media files.
The risk of attacks
Cybersecurity neglect by the companies’ service provider is highly concerning, as the energy sector is considered a critical infrastructure.
Apart from the devastating effects in the case of an attack, the sector is highly targeted by malicious actors. Last year, the Microsoft Digital Defense Report showed that the number of cyberattacks targeting critical infrastructure had grown significantly, while the level of sophistication of cyberattacks targeting digital operating systems is permanently evolving.
A misconfiguration of WorldLive systems makes it extremely easy for malicious actors to exploit the leaked data, as it was simply left available to anyone on the internet.
Assessment documents found in the storage contained photos of energy companies’ machinery along with descriptions of potential vulnerabilities or malfunctions. This is extremely concerning, as the information could be used for targeted attacks.
Also among the leaked data were templates of employee cards that could have allowed attackers to craft a valid-looking employee pass to access facilities.
Extensive information about employees could also have been used for social engineering attempts to access the locations or further extract sensitive information.
Finally, exposed personal employee data could be misused for identity theft, fraud, and targeted cybercrimes in the hands of a malicious actor.
“Critical infrastructure has been increasingly targeted by hacktivists in the last couple of years. Critical infrastructure has always been a prime target for Advanced Persistent Threat (APT) groups,” said Aras Nazarovas, a security researcher at Cybernews. “We have also seen such attacks done for financial gain, as was the case in the Colonial Pipeline Ransomware attack.”
Cybernews has reached out to WorldLive but has not yet received a response.
Third-party providers could become a trojan horse
The uncovered data leak is a stark example of the security risk involved in trusting your company’s data with a third-party provider.
According to researchers, malicious actors can often obtain access to otherwise safeguarded data from a company with all the necessary security measures in place by targeting insecure third parties.
“Third-party security issues may arise due to the limited resources, which may prevent them from having a dedicated security team or investing in relevant cybersecurity solutions. This might make them easier and more attractive targets for attackers,” said Nazarovas.
Previous research by Cybernews has proved that to be the case. In June, Cybernews uncovered that extremely sensitive data had been leaked from Banco Portugues de Gestao, which could have led to unauthorized money transfers. The leak was caused by the bank’s service provider, Nearsoft, which provides digital banking and e-government solutions.
The same month, the biggest auto dealer in Benelux – Van Mossel – along with a dozen other companies were impacted, when data analytics company Rawdamental leaked harvested client data to anyone on the internet.
In 2023, Cybernews research revealed another major leak affecting multiple financial institutions. These institutions used ID verification services provided by OCR Labs. A misconfiguration of the company’s systems exposed sensitive credentials to the public.
Your email address will not be published. Required fields are markedmarked