Researcher discovers exposed ServiceBridge database

Non-password protected databases containing sensitive corporate and personal information continue to be created and left wide open on the internet.

The latest example, with over 2TB of invoices and contracts from an American field service management provider, was discovered by cybersecurity researcher Jeremiah Fowler and reported Monday on WebsitePlanet.

Fowler said the database of about 31.5 million records belonged to ServiceBridge, a New Orleans-based provider of field service management software that offers scheduling, work order, and accounting capabilities for staff who do remote work such as landscaping, office cleaning, swimming pool maintenance, pest control, and more. ServiceBridge is part of GPS Insight, whose products also include fleet tracking.

After Fowler notified ServiceBridge, the database was restricted from public access. He can’t say how long it was exposed. It’s also unclear if it was managed by ServiceBridge or a third party.

Fowler said the database he discovered contained documents with personal information from companies ranging from schools to Las Vegas casinos. Some also included images of the inside and outside of properties, and gate codes that could be used to compromise physical security.

The exposed documents were in PDF and HTML formats, Fowler said, and were organized in folders by year and month. The documents dated back to 2012, and belonged to a large and diverse number of companies from different industries in the US, Canada, the UK and Europe.

User training needed

In any organization, failure to secure data stores containing sensitive information can be a sign that proper data handling procedures aren’t being followed and/or that security awareness training needs to be tightened.

The US National Institute of Standards and Technology (NIST) offers a free publication for CSOs/CISOs to assist in building an IT security awareness and training program. It’s written for federal agencies, but can apply to any organization.

“A strong IT security program cannot be put in place without significant attention given to training agency IT users on security policy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure IT resources,” it says in part. “In addition, those in the agency who manage the IT infrastructure need to have the necessary skills to carry out their assigned duties effectively. Failure to give attention to the area of security training puts an enterprise at great risk because security of agency resources is as much a human issue as it is a technology issue.”

Risks from exposed documents

In his report Fowler noted that the potential risks of invoice fraud from stolen documents affect both business-to-customer (B2C) and business-to-business (B2B) transactions. “Exposed invoices and internal business documents can potentially serve as a template for criminals to target victims using internal information that only the business and the customer would know,” he wrote. “This insider knowledge is likely to generate a sense of trust, significantly increasing the chances of effective fraudulent activity.” 

One cause of exposed corporate databases can be remote employees who aren’t working behind a firewall, said Johannes Ullrich, dean of research at the SANS Institute, a cybersecurity training provider. “It takes some work to expose databases,” he said in an interview. “It’s not something super-trivial to do.”

Cybersecurity requires discipline

Asked how CSOs can prevent employees making mistakes with files or misconfiguring systems, Ullrich said it comes down to attack surface monitoring. That involves pre-emptively scanning not only the organization’s IP space, but also those of employees, for open ports, exposed APIs, and exposed corporate data.

Cybersecurity “is not hard,” he said. But, he added “it requires some discipline and resources, too, to implement some of these controls.”