A major security lapse at field service management platform ServiceBridge has resulted in the exposure of over 31.5 million sensitive data files, putting businesses and individuals at risk of fraud and privacy violations.
Security researcher Jeremiah Fowler uncovered an unprotected database containing 31,524,107 files totaling 2.68 TB of data belonging to ServiceBridge. The exposed information dated back to 2012 and primarily affected companies in the United States, United Kingdom, and Canada.
Scope of the Breach
The leaked data included a wide range of sensitive information:
- Partial credit card numbers
- Invoices and contracts
- HIPAA consent forms
- Personally identifiable information (names, addresses, phone numbers)
- Site audit reports with interior and exterior property images
- Gate access codes and other security-sensitive details
Affected entities ranged from private homeowners to large chain restaurants, casinos, and medical providers.
Security Risks and Potential Consequences
The exposure of such detailed business and personal information poses several significant risks:
- Spear phishing attacks: Criminals could use the leaked data to craft highly convincing targeted phishing campaigns.
- Invoice fraud: With access to legitimate business documents, attackers could more easily impersonate companies and redirect payments.
- Physical security threats: Exposed property images and access codes could potentially compromise the safety of affected locations.
- Medical privacy violations: The presence of HIPAA-related documents raises concerns about patient confidentiality breaches.
Unclear Duration of Exposure
While ServiceBridge has since removed the database after being notified, it remains unknown how long the information was freely accessible online or who may have accessed it during that time.
Lessons and Recommendations
This incident highlights the critical importance of implementing proper security measures for sensitive data storage:
- Regular security audits
- Robust access controls
- Encryption of sensitive information
Organizations entrusted with customer data must prioritize cybersecurity to prevent such large-scale exposures that can have far-reaching consequences for businesses and individuals alike.
As the investigation continues, affected parties should remain vigilant for potential fraudulent activities and consider taking steps to protect their personal and financial information.