Recently I discovered a non-password-protected database that contained over 82 million records. The records had information that referenced multiple companies, including Whole Foods Market (owned by Amazon) and Skaggs public safety and uniform company that sells uniforms for Police, Fire, and Medical customers all over the United States.
The logging records exposed a large number of customer order records, names, physical addresses, email, and partial credit card numbers, and more. These records were marked as “Production”. Upon further research the database had multiple references to Dallas, Texas based ProQuality Solutions. According to their website they provide technology services such as Work Flow Automation, ETL Integration & Dashboards, Compliance, Resource Planning, Supply Chain Management, and Procurement.
What the database contained:
- Logging records that expose user internal user names and customer data
- Visa, MasterCard, American Express: Partial credit card information, authorization tokens, codes, other transaction data
- Security and administrative data that could be used to bypass credentials
- This information could be used in a phishing attack internally or to send fake invoices to customers using internal records. Enough information to create a successful Man-in-the Middle Attack
- Internal notes about business processes. The files also show where data is stored and a blueprint of how the network operates from the back end.