Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained 31.5 million records belonging to ServiceBridge — a technology company that offers field service management for businesses. The database contained contracts, work orders, invoices, proposals, and more from companies worldwide.
The non-password-protected database contained 31,524,107 files with a total size of 2.68 TB. The exposed documents were in .PDF and .htm formats (.htm files are designed to be displayed on web browsers), and organized in folders by year and month. The documents dated back to 2012 and belonged to a large and diverse number of companies from different industries. They included contracts, work orders, invoices, proposals, inspections, completion agreements, and other business related records. Exposed business records and personal data can potentially raise serious security and privacy concerns.
Upon further research, I identified that the documents belonged to ServiceBridge (by GPS Insight), a franchise management software for field service management, job dispatching, scheduling, and work order management. I immediately sent a responsible disclosure notice, and the database was restricted from public access shortly after. I did not receive any reply to my notification and It is not known how long the database was exposed or if anyone else gained access to the millions of documents. It is unclear if the database was managed by ServiceBridge or a third-party. Only an internal forensic audit could identify any suspicious activity, additional access, and the timeline of the exposure. It should be noted that, although some files were marked with a GPS Insight logo, I did not see any fleet management documents.
According to their website, the ServiceBridge platform was built to serve multiple industries such as commercial or industrial services, pest and animal control, cleaning, landscaping, construction, and other services. The documents I saw listed a wide range of customers: from private homeowners, schools, and religious institutions, to well-known chain restaurants, Las Vegas casinos, medical providers, and many others.
Many of the exposed documents displayed information that was not meant to be public. For instance, some files contained PII such as names, physical addresses, email addresses, phone numbers, and partial credit card data. I also saw HIPAA patient consent forms and medical equipment agreements that identified individuals as patients, listing their first and last names. Documents marked as “site audit reports” showed images of the inside and outside of properties or businesses. Several documents even included gate codes or other access information that could pose a potential physical security risk to property or individuals. In the limited sampling of documents I analyzed, the majority appeared to be US-based, but I also saw businesses and customers from Canada, the UK, and numerous European countries.
This screenshot shows a redacted customer invoice that displayed the name, email address, phone number, and physical address of the client.
This screenshot shows a waiver form that includes the customer’s PII and partial payment information.
This screenshot shows a work order that lists partial payment information, the account balance owed, and the customer’s PII.
This screenshot shows an inspection of an iOT device, including the firmware version and other information that could potentially be used to further identify cyber security vulnerabilities.
This screenshot shows a service report made for a well-known restaurant chain in the UK.
This screenshot shows a portion of a document that includes a HIPAA consent form signed by individuals listed as patients who received medical equipment. ❮❯
×
The potential risks of invoice fraud are a double-edged sword that affects both business-to-customer (B2C) and business-to-business (B2B) transactions. Exposed invoices and internal business documents can potentially serve as a template for criminals to target victims using internal information that only the business and the customer would know. This insider knowledge is likely to generate a sense of trust, significantly increasing the chances of effective fraudulent activity. In 2022, it was estimated that a business in the US loses an average $300,000 per year due to invoice schemes and payment fraud. According to the report, as many as one in four (25%) finance professionals do not have a full understanding of how much these schemes are affecting their business. In 2023, it was reported that 52% of large companies experienced some sort of payment fraud. While large companies usually have the revenue and resources to recover more quickly from invoice fraud, these scams can be devastating for small to medium-sized businesses and independent franchise owners.
Invoice fraud is a relatively low-tech crime that relies primarily on social engineering. It is important to be proactive and always be cautious when processing invoices. I recommend that any company, no matter how big or small, take steps to educate their accounts payable team to recognize common scams and take necessary precautions when processing invoices. One of the easiest forms of fraud to identify are invoices from an unfamiliar vendor. Always keep accurate records of vendors, contractors, and customers to verify that payment requests are legitimate. Paying invoices on time is important for any business, and criminals exploit the need for fast payments. If something feels suspicious about an invoice, I recommend withholding the payment until the information is verified. Customers should also be vigilant when they are contacted by businesses they have used in the past asking for additional information or unexpected payment requests. I am not implying that ServiceBridge users or their end customers are at risk of invoice or other types of fraud. I am only providing a real-world risk scenario of how the exposure of these types of documents may be used by criminals for nefarious purposes.
When applications use or transmit documents or images, those files need to be stored somewhere and accessible to the application upon demand. Often, these documents are stored in one place and not encrypted or password-protected. End-to-end encryption adds significant development costs and technology challenges, therefore many organizations choose to use a cloud storage repository and make individual documents accessible to applications or web browsers. These documents can easily identify the file path where they are stored. If the database is misconfigured and allows public access, it could create a scenario that exposes the entire dataset. It is important for software developers to segment potentially sensitive data, use encryption, implement access control to cloud storage databases, and ensure that applications transmit documents securely. I am not saying that this is how the ServiceBridge technology or application operates in practice, I am only providing a hypothetical risk scenario based on my past research of application based data exposures. I imply no negligence, misconduct, or wrongdoing by ServiceBridge or GPS Insight, nor do I claim that any businesses, customers, or documents were ever at risk or compromised. It is not known how long the database was exposed for and publicly accessible, or if anyone else accessed the non-password-protected documents. As an ethical cyber security researcher, I do not download or extract the data I discover; I only take a limited number of redacted screenshots for validation and notification purposes. I publish my findings to raise awareness of important cyber security issues and promote best practices in terms of data protection.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
