A database configuration error at a popular automotive retailer led to the exposure of 1TB of records, including customers’ personal information, according to WebsitePlanet.
Security researcher Jeremiah Fowler reported the incident to the web-builder site, having traced the records to Philadelphia-based business SimpleTire. The online tire retailer claims to have a network of over 10,000 installers and more than 3000 independent supply points.
Although he sent “multiple email notices” to SimpleTire to responsibly disclose his findings, Fowler claimed the non-password protected database was publicly accessible to anyone with an internet connection for over three weeks before finally being locked down.
It is unclear how long the database had been publicly exposed before Fowler’s discovery.
Read more on database misconfigurations: Database Snafu Leaks 600K Records from Marketplace.
The SimpleTire database contained over 2.8 million records, including nearly 1.2 million order confirmation PDFs that featured personally identifiable information (PII) such as customer names, phone numbers and billing addresses. Also contained on the order records were partial credit card numbers and expiry dates.
Details of orders including authorized installers, receipt numbers, product information and payment amounts were also clearly visible, according to a screenshots shared by Fowler.
The researcher warned of the risk of follow-on social engineering attacks if hackers had managed to access the exposed database.
“The criminal could contact the victim and claim to work for SimpleTire or one of the installers and advise the customer that they need to update their payment details,” he argued.
“In this case, the criminal would have insider knowledge of the purchase, order confirmation numbers, and could verify the last four digits of the card number on file. Customers would have no reason to think the request for more information is not a legitimate call from a company they already have a business relationship with.”
Fowler also called on companies to put in place clear communications channels and incident response protocols in order to handle cases such as this.
“This can greatly limit the amount of time sensitive information is exposed, reported to the company involved, and finally restricted from public view,” he concluded.