According to WebsitePlanet, a database configuration error at a popular auto retailer exposed 1TB of records containing personal customer information.
Security researcher Jeremiah Fowler tracked down records from the Philadelphia-based company Simpletire and reported the incident to the web builder site. This online he tire retailer claims to have a network of over 10,000 installers and he has over 3,000 independent supply points.
Fowler sent “multiple email notifications” to Simple Tire to responsibly disclose the findings, but the non-password-protected database remained open until it was finally locked down. For more than a week, he claimed it was accessible to anyone with an internet connection.
It’s unclear how long the database was open to the public before Fowler’s discovery.
For more information on database misconfiguration, see Database Snafu Leaks 600,000 Records from Marketplace.
The Simpletire database contained over 2.8 million records, including approximately 1.2 million order confirmation PDFs featuring personally identifiable information (PII) such as customer name, phone number and billing address. The order record also contained a partial credit card number and expiration date.
According to the screenshots Fowler shared, he could also clearly see order details such as the authorized installer, receipt number, product information and payment amount.
Researchers warned of the risk of subsequent social engineering attacks if hackers were able to access the exposed database.
“Criminals may contact the victim, claiming to work for either Simpletire or the installer, and advise the customer that they need to update their payment details,” he argued.
“In this case, the criminal has inside information about the purchase and the order confirmation number, and would be able to see the last four digits of the card number on file. There is no reason to believe that it is not a legitimate call from a company.”
Fowler also called on companies to have clear communication channels and incident response protocols in place to handle such cases.
“This could significantly limit the amount of time sensitive information can be made public, reported to the companies concerned, and ultimately restricted from public view,” he concluded.
