- The researchers found an unusual online database with almost eight million files
- Database contained work authorization documents, national insurance numbers, certificates and other confidential data
- It belonged to the Logezy software firm, which says the database is now blocked
Millions of health workers in the United Kingdom have leaked their confidential online data, after a database not protected by unusual raisins on the Internet was found.
Security researcher Jeremiah Fowler found a 1.1TB database in size that contains almost eight million files (7,975,438), including .pdf images and files, work authorization documents, national insurance numbers, certificates, electronic signatures, time sheets, user images and identification documents issued by the Government.
In addition, the file contained 656 directory tickets indicated by different companies, most of which were medical care suppliers, recruitment agencies and temporary employment services.
Identity theft and other risks
Fowler determined that the database belonged to Logezy, a employee management software and tracking company based in the United Kingdom.
He notified Logezy of his findings, and the company blocked the database “shortly after.”
To search unprotected databases, researchers would use a specialized search engine, such as Shodan, and analyze the results.
Until now, Fowler has found dozens of similar cases, including clickbalance (more than 750 million records), DM Clinical Research (more than one million clinical records) or ServiceBridge (31 million).
Without a detailed forensic analysis, it is impossible to know if a threat actor has already accessed the database and exfiled the information found there.
It is also impossible to know how long the file remained unlocked, and if Logezy succeeded, or a third in his name.
These instances are considered a low fruit for cybercriminals. Stoleing this information does not require Phishing, Social Engineering, zero day vulnerabilities hunting or exploiting final points without blinking.
However, the data inside are valuable, since they are generally updated and can be used in all types of fraud, including electronic fraud, payment scams, identity theft and more.
If Logezy has used in the past, it would be advisable to monitor your accounts and credit reports for a potentially suspicious activity.
