Nearly 32 Million Documents, Invoices, Contracts, and Agreements Exposed Online by Global Field Service Management Provider (2024)

Nearly 32 Million Documents, Invoices, Contracts, and Agreements Exposed Online by Global Field Service Management Provider (1)

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained 31.5 million records belonging to ServiceBridge — a technology company that offers field service management for businesses. The database contained contracts, work orders, invoices, proposals, and more from companies worldwide.Nearly 32 Million Documents, Invoices, Contracts, and Agreements Exposed Online by Global Field Service Management Provider (3)The non-password-protected database contained 31,524,107 files with a total size of 2.68 TB. The exposed documents were in .PDF and .htm formats (.htm files are designed to be displayed on web browsers), and organized in folders by year and month. The documents dated back to 2012 and belonged to a large and diverse number of companies from different industries. They included contracts, work orders, invoices, proposals, inspections, completion agreements, and other business related records. Exposed business records and personal data can potentially raise serious security and privacy concerns.Upon further research, I identified that the documents belonged to ServiceBridge (by GPS Insight), a franchise management software for field service management, job dispatching, scheduling, and work order management. I immediately sent a responsible disclosure notice, and the database was restricted from public access shortly after. I did not receive any reply to my notification and It is not known how long the database was exposed or if anyone else gained access to the millions of documents. It is unclear if the database was managed by ServiceBridge or a third-party. Only an internal forensic audit could identify any suspicious activity, additional access, and the timeline of the exposure. It should be noted that, although some files were marked with a GPS Insight logo, I did not see any fleet management documents.According to their website, the ServiceBridge platform was built to serve multiple industries such as commercial or industrial services, pest and animal control, cleaning, landscaping, construction, and other services. The documents I saw listed a wide range of customers: from private homeowners, schools, and religious institutions, to well-known chain restaurants, Las Vegas casinos, medical providers, and many others.Many of the exposed documents displayed information that was not meant to be public. For instance, some files contained PII such as names, physical addresses, email addresses, phone numbers, and partial credit card data. I also saw HIPAA patient consent forms and medical equipment agreements that identified individuals as patients, listing their first and last names. Documents marked as “site audit reports” showed images of the inside and outside of properties or businesses. Several documents even included gate codes or other access information that could pose a potential physical security risk to property or individuals. In the limited sampling of documents I analyzed, the majority appeared to be US-based, but I also saw businesses and customers from Canada, the UK, and numerous European countries.

Nearly 32 Million Documents, Invoices, Contracts, and Agreements Exposed Online by Global Field Service Management Provider (4)

Nearly 32 Million Documents, Invoices, Contracts, and Agreements Exposed Online by Global Field Service Management Provider (5)

Nearly 32 Million Documents, Invoices, Contracts, and Agreements Exposed Online by Global Field Service Management Provider (6)

Nearly 32 Million Documents, Invoices, Contracts, and Agreements Exposed Online by Global Field Service Management Provider (7)

Nearly 32 Million Documents, Invoices, Contracts, and Agreements Exposed Online by Global Field Service Management Provider (8)

Nearly 32 Million Documents, Invoices, Contracts, and Agreements Exposed Online by Global Field Service Management Provider (9)

×

The potential risks of invoice fraud are a double-edged sword that affects both business-to-customer (B2C) and business-to-business (B2B) transactions. Exposed invoices and internal business documents can potentially serve as a template for criminals to target victims using internal information that only the business and the customer would know. This insider knowledge is likely to generate a sense of trust, significantly increasing the chances of effective fraudulent activity. In 2022, it was estimated that a business in the US loses an average $300,000 per year due to invoice schemes and payment fraud. According to the report, as many as one in four (25%) finance professionals do not have a full understanding of how much these schemes are affecting their business. In 2023, it was reported that 52% of large companies experienced some sort of payment fraud. While large companies usually have the revenue and resources to recover more quickly from invoice fraud, these scams can be devastating for small to medium-sized businesses and independent franchise owners.Invoice fraud is a relatively low-tech crime that relies primarily on social engineering. It is important to be proactive and always be cautious when processing invoices. I recommend that any company, no matter how big or small, take steps to educate their accounts payable team to recognize common scams and take necessary precautions when processing invoices. One of the easiest forms of fraud to identify are invoices from an unfamiliar vendor. Always keep accurate records of vendors, contractors, and customers to verify that payment requests are legitimate. Paying invoices on time is important for any business, and criminals exploit the need for fast payments. If something feels suspicious about an invoice, I recommend withholding the payment until the information is verified. Customers should also be vigilant when they are contacted by businesses they have used in the past asking for additional information or unexpected payment requests. I am not implying that ServiceBridge users or their end customers are at risk of invoice or other types of fraud. I am only providing a real-world risk scenario of how the exposure of these types of documents may be used by criminals for nefarious purposes.When applications use or transmit documents or images, those files need to be stored somewhere and accessible to the application upon demand. Often, these documents are stored in one place and not encrypted or password-protected. End-to-end encryption adds significant development costs and technology challenges, therefore many organizations choose to use a cloud storage repository and make individual documents accessible to applications or web browsers. These documents can easily identify the file path where they are stored. If the database is misconfigured and allows public access, it could create a scenario that exposes the entire dataset. It is important for software developers to segment potentially sensitive data, use encryption, implement access control to cloud storage databases, and ensure that applications transmit documents securely. I am not saying that this is how the ServiceBridge technology or application operates in practice, I am only providing a hypothetical risk scenario based on my past research of application based data exposures. I imply no negligence, misconduct, or wrongdoing by ServiceBridge or GPS Insight, nor do I claim that any businesses, customers, or documents were ever at risk or compromised. It is not known how long the database was exposed for and publicly accessible, or if anyone else accessed the non-password-protected documents. As an ethical cyber security researcher, I do not download or extract the data I discover; I only take a limited number of redacted screenshots for validation and notification purposes. I publish my findings to raise awareness of important cyber security issues and promote best practices in terms of data protection.

Jeremiah Fowler

Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.

Follow our experts on

Nearly 32 Million Documents, Invoices, Contracts, and Agreements Exposed Online by Global Field Service Management Provider (2024)
Top Articles
Realidades 3 Capitulo 3 Guided Practice Answers
Newsweek Wordle Hint Today
Ups Customer Center Locations
Breaded Mushrooms
Craigslist Cars And Trucks For Sale By Owner Indianapolis
Geodis Logistic Joliet/Topco
Top Financial Advisors in the U.S.
Co Parts Mn
T&G Pallet Liquidation
Sunday World Northern Ireland
10 Great Things You Might Know Troy McClure From | Topless Robot
How Many Slices Are In A Large Pizza? | Number Of Pizzas To Order For Your Next Party
Ivegore Machete Mutolation
Pittsburgh Ultra Advanced Stain And Sealant Color Chart
Missed Connections Dayton Ohio
Cinebarre Drink Menu
boohoo group plc Stock (BOO) - Quote London S.E.- MarketScreener
Best Forensic Pathology Careers + Salary Outlook | HealthGrad
Osborn-Checkliste: Ideen finden mit System
Ratchet & Clank Future: Tools of Destruction
Robin D Bullock Family Photos
Bekijk ons gevarieerde aanbod occasions in Oss.
Dcf Training Number
Optum Urgent Care - Nutley Photos
Cookie Clicker Advanced Method Unblocked
BJ 이름 찾는다 꼭 도와줘라 | 짤방 | 일베저장소
January 8 Jesus Calling
When His Eyes Opened Chapter 3123
Bayard Martensen
Gopher Hockey Forum
Viduthalai Movie Download
Tracking every 2024 Trade Deadline deal
Sacramento Craigslist Cars And Trucks - By Owner
Craigslist Sf Garage Sales
49S Results Coral
Craigslistodessa
Issue Monday, September 23, 2024
UPC Code Lookup: Free UPC Code Lookup With Major Retailers
Ghid depunere declarație unică
Rlcraft Toolbelt
"Pure Onyx" by xxoom from Patreon | Kemono
Craigslist Free Puppy
Weekly Math Review Q4 3
Srg Senior Living Yardi Elearning Login
Weapons Storehouse Nyt Crossword
Chuze Fitness La Verne Reviews
Anthem Bcbs Otc Catalog 2022
National Weather Service Richmond Va
M&T Bank
Nope 123Movies Full
A jovem que batizou lei após ser sequestrada por 'amigo virtual'
Barback Salary in 2024: Comprehensive Guide | OysterLink
Latest Posts
Article information

Author: Dean Jakubowski Ret

Last Updated:

Views: 5739

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Dean Jakubowski Ret

Birthday: 1996-05-10

Address: Apt. 425 4346 Santiago Islands, Shariside, AK 38830-1874

Phone: +96313309894162

Job: Legacy Sales Designer

Hobby: Baseball, Wood carving, Candle making, Jigsaw puzzles, Lacemaking, Parkour, Drawing

Introduction: My name is Dean Jakubowski Ret, I am a enthusiastic, friendly, homely, handsome, zealous, brainy, elegant person who loves writing and wants to share my knowledge and understanding with you.