On July 30th I discovered an open database that contained 18,667 records including names, account numbers, transaction details, user credentials, and admin passwords. Upon further investigation I was able to connect the data to a company named Timberwise based out in Cheshire, United Kingdom. According to their website they are one of Britain’s largest privately owned Property Preservation Companies. Timberwise specializes in property care and preservation, but this data exposure regretfully lacked the same care, and attention to detail that they put towards their properties.
We immediately followed our responsible disclosure process and reported our discovery to Timberwise directly. We were promptly notified that the leak was validated, and that the issue had been addressed by their third party.
What was in the Database:
- This was a CouchDB database set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- 18,667 records with user names, emails, IP addresses and other details
- The database also contained confidential, account numbers, transaction data (no payment info exposed), user credentials, admin passwords.
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.
We made several attempts to inquire more about the 3rd party provider, but the contact from Timberwise never replied after the first notification. Unfortunately, there is no way to know who the 3rd party service provider may have been.
“Thank you for bringing this to our attention. We have addressed the issue with the 3rd party supplier” – Timberwise Reply
We have seen many cases of 3rd party providers who inadvertently expose their client data publicly online. We would advise that any organization who uses a 3rd party provider be aware of any past data incidents and inquire about what security measures they employ for data protection. This is an important part of any business decision when choosing a data management partner.
Timberwise (UK) Ltd is based in Cheshire and offers services throughout the entire United Kingdom. It is unclear if this data incident was reported to users who may have been affected or the authorities as required under GDPR. There is a strict reporting timeline and article 33 dictates that data controllers must notify the appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it.”
Despite several attempts and a request for comment regarding this data incident, Timberwise (UK) Ltd has not responded or commented on the data incident at the time of this publication.