Nearly One Million Documents Exposed By Software Provider for the Petroleum and Fuel Industry
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained 780,000 records belonging to FleetPanda — a technology provider offering dispatch management, driver app, reporting and analytics, invoicing, and more. The database contained documents such as invoices, driver applications, images of licenses, and background checks that contained PII.
The non-password-protected database contained 780,191 documents with a total size of 193 GB. The exposed documents were in .PDF, .jpg, and other image formats. The documents indicated shipments of fuel and petroleum to and from numerous companies, industries, and even pipelines. These included invoices, delivery tickets, and other business-related records. The folders contained files dating from 2019 to present (August 2024) and were listed as cache files, as well as files relating to drivers, licenses, store, synctruck, vehicles, and workers. Invoices contained billing and delivery information such as bill to, delivered to, delivered by, ticket, PO or order numbers, truck numbers, and other internal identifiers or tracking data. The database also contained potentially sensitive information such as high resolution images of driver’s licenses and employment applications displaying SSN numbers and PII. Exposed business records and personal data can potentially raise serious security and privacy concerns. Within a limited sample of exposed records, I saw documents indicating deliveries to or from numerous states including California, Oregon, Texas, Colorado, Oklahoma, and others.
Upon further investigation, the documents and name of the database indicated the records belonged to California-based FleetPanda, a software and technology company that provides services and support for the petroleum and fuel industry. FleetPanda offers a dispatch dashboard, driver application, order management, reporting and analytics, reconciliation, invoicing, and pricing or fee management tools. I immediately sent a responsible disclosure notice of my findings, and the database was restricted from public access several days later. I did not receive a reply to my notification. It is not known how long the documents were exposed or if anyone else accessed the database. Although the documents belonged to FleetPanda, it is also not known if they managed the database. Only an internal forensic audit can identify additional access or suspicious activity.
According to FleetPanda’s LinkedIn page, FleetPanda modernizes old, manual, and spreadsheet methods with an easy-to-use dispatch tool. It handles all order types smoothly, offers a live dashboard for tracking operations, an Uber-like driver app, automatic price and contract handling, along with tight integrations to your current tech tools, bringing all essential business operations data into one digital platform.
This screenshot shows an invoice for the delivery of 9,900 gallons of diesel fuel. The retail cost of diesel fuel in the United States reached an annual average of 4.21 U.S. dollars per gallon in 2023, making this delivery worth an estimated $41,000. Any industry where there is a large amount of money being exchanged for products and services could potentially be a high value target for criminals.
The U.S. energy sector is a valuable target for cyber criminals, nation-states, and even insider attacks. The potential risks of cyber attacks on critical infrastructure is something the industry and the government started to take seriously after the Colonial Pipeline ransomware attack that forced the company to shut down operations. This disruption led to widespread fuel shortages and price hikes. The attack, claimed by the DarkSide hacker group (which is believed to be based in Russia), highlighted vulnerabilities in critical infrastructure and prompted increased focus on cybersecurity measures. Since then, the U.S. government has made it a priority to secure and protect the nation’s energy infrastructure. In January 2024, the U.S. Department of Energy (DOE) announced it was investing up to $70 million to develop technologies to secure the energy delivery infrastructure from cyber and physical threats.
According to a report published in Security Magazine, the U.S. and Canada have seen an estimated 71% increase in the number of cyberattacks on energy companies from 2021 to 2022. The energy infrastructure in the U.S. is divided between electricity, oil, and natural gas; it is potentially vulnerable due to the reliance on interconnected systems and outdated infrastructure. I am not saying that FleetPanda’s customers are at risk of cyber or physical attacks. I am only indicating that the industry is potentially at a high risk according to past attacks.
With thousands of internal documents exposed, one potential risk would be the threat of invoice fraud. This type of scam involves criminals tricking organizations into paying fraudulent invoices by posing as legitimate vendors or suppliers. Criminals usually obtain real invoices from data breaches, and then use those as templates to create fake invoices that look authentic. Real invoices can contain insider information such as accurate purchase order numbers and other details that only the companies, drivers, or service providers would know. When combined with social engineering tactics, criminals could attempt to manipulate employees (often through phishing emails) into making unauthorized payments to the criminals’ accounts. According to a 2022 FBI IC3 report, victims of invoice fraud lost an average of over $120,000 per incident, and an estimated 7 out of 10 of companies (68%) are affected annually (across all industries). I am not stating nor implying that FleetPanda’s customers are at risk of invoice fraud, I am only providing a real-world risk scenario that businesses should be aware of.
Additionally, exposed personal information is a serious potential risk to both the individuals and the organizations they work for. The database contained images of both commercial and non-commercial driver’s licenses, driving history documents, hazardous materials certifications, background checks, and employment applications that include PII and even Social Security numbers (SSNs). Personal data and documents could be potentially exploited for identity theft, financial fraud, or social engineering attacks. In industries considered critical infrastructure, criminals could hypothetically impersonate employees to gain information, get unauthorized access, or launch sabotage operations.
I recommend organizations store important employee data separately from standard operating and business documents such as invoices. For individuals who worry about the exposure of their personal information, it is a good idea to obtain an annual credit check and be aware of any suspicious activity using your name, credit profile, or SSN. For organizations and individuals alike, the most important factor is identifying potential misuse of data as soon as possible. I am not saying that there is an imminent threat of identity theft or misuse of data, I am only highlighting potential risks businesses and individuals should be aware of.
I imply no wrongdoing by FleetPanda, their partners, or third-party contractors, nor do I claim that internal data or customer data was ever at risk or could be misused. Given that the U.S. energy supply network is classified as critical infrastructure, it is important to identify vulnerabilities and strengthen data security practices in the entire industry. The hypothetical data-risk scenarios I have presented in this report are exclusively for educational purposes, and it is crucial for all readers to conduct their own independent security assessments to verify the accuracy, completeness, and reliability of data protection measures. As an ethical security researcher, I do not download the data I discover and only take a limited number of screenshots solely for verification purposes. It is not known how long the database was publicly accessible, as only an internal forensic investigation conducted by FleetPanda would be able to identify this information along with any potential suspicious activity related to the breach. I publish my findings solely to raise awareness on issues of data security and privacy issues. This disclaimer does not intend to suggest that FleetPanda or its associated entities have not adequately safeguarded their data.