Recently I discovered a dataset had detailed information on trucking, transport companies, and individual drivers. The data appeared to be connected to credit accounts, loans, repayment, and debt collections. This included banking information and tax ID numbers. Many of the Tax IDs were consistent with what appeared to be SSN (Social Security Numbers) and stored in plain text.
Upon further research there were multiple references including internal emails and usernames of a Florida based company called TransCredit. We immediately sent a responsible disclosure notice to TransCredit and public access was restricted shortly after. The records appeared to contain the data of trucking and transportation companies based in the United States and Canada.
Here is what we have discovered:
- Total Records: 822,789
- Internal records that include customers first and last names, emails, bank information, Tax ID numbers that appear to be SSN and EIN (Employer Identification Number).
- These individuals could be at risk of a targeted social engineering attack using insider information.
- Detailed notes on collections, payment histories, new applicants, status and progress. References to “TransCredit” and “Transcore”
- Internal Passwords and login IDs / Usernames, account numbers. We can only assume that these could be used to access the user portal. (We do not circumvent password protections or attempt to validate user credentials for ethical reasons).