32M invoices, contracts, patient consent forms, and more exposed to the internet

A cybersecurity researcher discovered a non-password-protected database containing approximately 31.5 million documents belonging to ServiceBridge, a global field service management provider. The exposed records, totaling 2.68 TB, included contracts, invoices, work orders, and personal information from various companies worldwide, dating back to 2012. The documents raised significant security and privacy concerns, as they contained sensitive personal identifiable information (PII), including names, addresses, and partial credit card data. Some documents even included HIPAA patient consent forms and access information that could pose physical security risks. The researcher reported the exposure to ServiceBridge, which restricted access shortly after, but it remains unclear how long the database was publicly accessible or if it was accessed by unauthorized individuals. The incident highlights the risks of invoice fraud, which can affect both B2B and B2C transactions, and emphasizes the need for companies to implement better data protection practices, including encryption and access controls. While the researcher did not imply negligence on the part of ServiceBridge, the exposure serves as a reminder of the importance of cybersecurity measures in protecting sensitive business and personal information.

- Nearly 32 million documents were exposed online due to a non-password-protected database.

- The exposed records included sensitive personal and business information, raising privacy concerns.

- The database belonged to ServiceBridge, a provider of field service management software.

- The incident underscores the risks of invoice fraud and the need for improved data protection practices.

- The researcher reported the exposure, leading to the database being restricted from public access.