Leaky ServiceBridge database exposes 31 million documents containing PII and sensitive data online

An unprotected database belonging to US-based field service management provider ServiceBridge leaked over 31.5 million records online.

Cybersecurity researcher Jeremiah Fowler discovered the breach and diligently reported his findings. According to Fowler’s analysis, the technology company’s records were housed in a 2.68 GB database that wasn’t protected by a password.

Exposed records ranged from PDF to .htm formats dating back to 2012, including contracts, work orders, invoices, proposals, inspections and completion agreements, all containing personally identifiable information such as names, physical addresses, email addresses, phone numbers, and partial credit card data.

The documents listed personal information from customers including private homeowners, medical providers, schools and even Las Vegas casinos.

“Many of the exposed documents displayed information that was not meant to be public. I also saw HIPAA patient consent forms and medical equipment agreements that identified individuals as patients, listing their first and last names,” Fowler said. ”Documents marked as “site audit reports” showed images of the inside and outside of properties or businesses. Several documents even included gate codes or other access information that could pose a potential physical security risk to property or individuals. In the limited sampling of documents I analyzed, the majority appeared to be US-based, but I also saw businesses and customers from Canada, the UK, and numerous European countries.”

Fowler also said he notified the company of the breach, and ServiceBridge quickly restricted public access to the records. To date, it remains unclear how long the records were exposed or if any malicious parties had access to this data.

However, Fowler did note some of the risks associated with the breach, which includes invoice fraud and phishing scams leveraging exposed information.

“Exposed invoices and internal business documents can potentially serve as a template for criminals to target victims using internal information that only the business and the customer would know,” Fowler wrote. “This insider knowledge is likely to generate a sense of trust, significantly increasing the chances of effective fraudulent activity.”

To safeguard against scams and the potential fallout of the breach, we recommend customers watch out for unexpected requests for personal information and closely monitor their accounts for suspicious activity.

For scam-free digital activities, use Bitdefender Scamio, our free-to-use AI-powered scam detector that can pick up on fraud attempts from  texts, messages, emails, images, and QR codes. Additionally, you can describe a suspicious situation and Scamio will provide you with an instant assessment on whether you may get scammed. Scamio is available on Facebook Messenger, WhatsApp and your web browser. You can also help others stay safe by sharing Scamio with them in France, Germany, Spain, Italy, Romania, Australia and the UK.

Use Bitdefender Digital Identity Protection to bolster your cyber resilience against data breaches, with:

- Continuous Monitoring. Bitdefender’s Digital Identity Protection continuously monitors the dark web and other sources for signs that your personal information has been compromised. If any of your data is found, you are immediately alerted so you can secure your accounts.

- Real-Time Alerts. You receive real-time alerts about threats to your personal information. Whether it’s a data breach involving your email address, credit card number, or other sensitive information, Bitdefender promptly informs you.

- Detailed Reports. Bitdefender provides detailed reports on the status of your personal information, helping you understand what data might be at risk and what actions to take.

- Actionable Advice. In case of a breach or leak, Bitdefender offers actionable advice to mitigate the damage and protect your information. This might include changing passwords, contacting your bank, or other necessary measures.