Leaked data from oil rigs raises terrorism threat


More than a million files with sensitive data, from employee card templates to on-site operational assessments, have been left passwordless online, putting multiple energy companies at risk.

In November 2023, Cybernews researchers discovered an openly accessible storage with over 1.5 million sensitive files. The files contained personal employee information and operational data from multiple energy companies.

The leaked data includes:

ADVERTISEMENT
  • Employee names
  • Addresses
  • Phone numbers
  • Dates of birth
  • Social Security numbers (SSN)
  • Physical examination and drug test forms
  • Scanned documents
  • Employee certificates
  • Templates for employee cards
  • Employee resumes with photos
  • On-site assessment forms with photos of critical infrastructure
worldlive data leak
Group training sheet including COVID symptom checks and partial Social Security Numbers

The research team has been able to attribute the leak to WorldLive LLC, a Louisiana-based company that specializes in tracking employee training, managing assets, and creating maintenance schedules for energy companies.

Some of the examined files were connected to ExxonMobil and Guyana Revenue Authority, JP Oil Holdings, Broussard Brothers, and Noble Energy, acquired by Chevron Corporation. However, given the scope of the leak, more companies could be affected.

The leak was caused by missing authentication on Azure Cloud Storage Blob – a cloud-based service from Microsoft Azure that allows users to store and manage large amounts of unstructured data such as text, binary data, and media files.

worldlive data leak
Group training sheet including full names and signatures

The risk of attacks

Cybersecurity neglect by the companies’ service provider is highly concerning, as the energy sector is considered a critical infrastructure.

ADVERTISEMENT

Apart from the devastating effects in the case of an attack, the sector is highly targeted by malicious actors. Last year, the Microsoft Digital Defense Report showed that the number of cyberattacks targeting critical infrastructure had grown significantly, while the level of sophistication of cyberattacks targeting digital operating systems is permanently evolving.

worldlive data leak
On-site assessment forms with photos of the machinery

A misconfiguration of WorldLive systems makes it extremely easy for malicious actors to exploit the leaked data, as it was simply left available to anyone on the internet.

Assessment documents found in the storage contained photos of energy companies’ machinery along with descriptions of potential vulnerabilities or malfunctions. This is extremely concerning, as the information could be used for targeted attacks.

Also among the leaked data were templates of employee cards that could have allowed attackers to craft a valid-looking employee pass to access facilities.

worldlive data leak
Operational Integrity Assessment Report detailing safety rules violations

Extensive information about employees could also have been used for social engineering attempts to access the locations or further extract sensitive information.

Finally, exposed personal employee data could be misused for identity theft, fraud, and targeted cybercrimes in the hands of a malicious actor.

“Critical infrastructure has been increasingly targeted by hacktivists in the last couple of years. Critical infrastructure has always been a prime target for Advanced Persistent Threat (APT) groups,” said Aras Nazarovas, a security researcher at Cybernews. “We have also seen such attacks done for financial gain, as was the case in the Colonial Pipeline Ransomware attack.”

Cybernews has reached out to WorldLive but has not yet received a response.

ADVERTISEMENT
worldlive data leak
List of completed training
worldlive data leak
Training certificate
worldlive leak
Workplace safety certificate

Third-party providers could become a trojan horse

The uncovered data leak is a stark example of the security risk involved in trusting your company’s data with a third-party provider.

According to researchers, malicious actors can often obtain access to otherwise safeguarded data from a company with all the necessary security measures in place by targeting insecure third parties.

“Third-party security issues may arise due to the limited resources, which may prevent them from having a dedicated security team or investing in relevant cybersecurity solutions. This might make them easier and more attractive targets for attackers,” said Nazarovas.

worldlive data leak
Drug test consent form including full Social Security Number, address, date of birth, phone number, and signatures.

Previous research by Cybernews has proved that to be the case. In June, Cybernews uncovered that extremely sensitive data had been leaked from Banco Portugues de Gestao, which could have led to unauthorized money transfers. The leak was caused by the bank’s service provider, Nearsoft, which provides digital banking and e-government solutions.

The same month, the biggest auto dealer in Benelux – Van Mossel – along with a dozen other companies were impacted, when data analytics company Rawdamental leaked harvested client data to anyone on the internet.

ADVERTISEMENT

In 2023, Cybernews research revealed another major leak affecting multiple financial institutions. These institutions used ID verification services provided by OCR Labs. A misconfiguration of the company’s systems exposed sensitive credentials to the public.