- Rockerbox kept an online database for an unknown period
- The database contained identity card numbers and other vital information
- After his discovery, he was now locked
A tax credit consultancy agency inadvertently exhibited sensitive data on thousands of its customers, allegedly keeping a database filled with personally identifiable information (PII) open to public Internet.
It was discovered by Jeremiah Fowler, cybersecurity researcher and known analyst for hunting for databases unacceptable and not protected by passwords, and in a new VPNmentor report, Fowler said that he had found an archive with a total size of 286.9 GB, containing 245,949 records.
“In a limited sample of the documents exposed, I saw files that detailed PIIs such as names, physical addresses, email addresses, Dob and SSN in raw text,” said Fowler. “There were also driving licenses, identification cards, SSN cards, tax credit documents that included information on employment and wages, and letters of determination with acceptance or refusal of eligibility.”
Rockerbox flees
In addition, he observed DD214 forms – Liberation or Liberation certificates of active service, issued by the American Ministry of Defense to Veterans and similar military staff. There were also PDF files protected by password labeled like “forms”, with file names containing PIIs such as employers’ names and first and family names of candidates.
Fowler awarded the database to a company based in Texas called rockerbox, an organization of tax credit advice helping companies increase their cash flows by identifying and managing employers focused on employers through programs such as the work opportunities (WOTC), (ERTC), R&D credits and empowerment zone credits.
After holding the hand to Rockerbox, the company closed the archives in a few days, but would never have answered the researcher.
Consequently, we do not know if the company manages this database, or if this work has been managed by a third party – or if threat actors have obtained it in the past, but at the time of the press, there was no proof of abuse in the will.
