- Researchers found unsecured online database with almost eight million files
- Database contained work authorization documents, national insurance numbers, certificates, and other sensitive data
- It belonged to software firm Logezy, which says the database is locked down now
Millions of healthcare workers in the United Kingdom have had their sensitive data leaked online, after a non-password-protected database was found unsecured on the internet.
Security researcher Jeremiah Fowler found a database 1.1TB in size containing almost eight million files (7,975,438), including images and .PDF files, work authorization documents, national insurance numbers, certificates, electronic signatures, timesheets, user images, and government-issued identification documents.
Furthermore, the archive contained 656 directory entries indicating different companies, the majority of which were healthcare providers, recruiting agencies, and temporary employment services.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)
Identity theft and other risks
Fowler determined the database belonged to Logezy, an employee management and tracking software company based in the UK.
He notified Logezy of his findings, and the company locked the database down “shortly after”.
To hunt for unprotected databases, researchers would use a specialized search engine, such as Shodan, and analyze the results.
So far, Fowler has found dozens of similar instances, including ClickBalance (more than 750 million records), DM Clinical Research (over a million clinical records), or ServiceBridge (31 million).
Without a detailed forensic analysis, it is impossible to know if a threat actor already accessed the database and exfiltrated the information found there.
It is also impossible to know for how long the archive remained unlocked, and if Logezy managed it, or a third party on its behalf.
These instances are considered a low-hanging fruit for cybercriminals. Stealing this information does not require phishing, social engineering, hunting for zero-day vulnerabilities, or exploiting unpatched endpoints.
Yet, the data inside is valuable since it’s usually up-to-date and can be used in all sorts of fraud, including wire fraud, payment scams, identity theft, and more.
If you have used Logezy in the past, it would be wise to keep a closer eye on your accounts and credit reports for potentially suspicious activity.
You might also like
- Over 750 million records exposed by ERP firm data breach — find out if you're safe
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers