An unsecured database containing 822k records including 600k credit reports related to the US and Canadian transportation industry has been discovered online.
Security researcher Jeremiah Fowler together with the Website Planet research team found the database which contained detailed information on trucking, transport companies and even individual drivers.
The data itself appears to be connected to credit accounts, loans, repayment and debt collections and includes banking information and Tax ID numbers. However, many of the Tax IDs were consistent with what seems to be Social Security Numbers (SSNs) and were stored in plain text.
Upon further investigation, Fowler and the Website Planet research team found multiple references as well as internal emails and usernames to the Florida-based company TransCredit. Just as Experian, TransUnion and Equifax provide credit scores to consumers, TransCredit created a “credit score” for the transportation industry that rates shippers and brokers and assigns a risk assessment score from 0 to 99.
The records stored in the unsecured database could give an attacker an overview of a carrier or independent operator’s entire business as they include information regarding late payments, non-payment, bankruptcy, collections and more.
Potential for fraud and scams
Although Fowler and the Website Planet research team sent a responsible disclosure notice to TransCredit immediately following their discovery and public access to the database was restricted shortly after, cybercriminals and other hackers could have downloaded its contents while it wasn’t password protected.
While the pandemic has already led to a driver and labor shortage, transportation companies could also now be at risk of fraud and other scams. This is because the database contained enough information for an attacker to craft believable phishing campaigns as well as tax and repair invoice scams. The inclusion of Tax ID data could also be used by a cybercriminal to build trust with potential victims using social engineering.
Although there were numerous references to TransCredit inside the now secured database, Fowler and the Website Planet research team did not receive a reply from anyone at the company verifying the data did indeed belong to it. This means that the data could have been exposed by a contractor or by another third party that had access to the reports in question.
The only thing companies and independent contractors whose information was exposed can do to protect themselves from fraud and scams is to validate each and every payment or information request. Thankfully though as the database was secured quickly, it’s possible that its contents weren’t downloaded by anyone else for nefarious purposes.
Fowler provided further insight on how the data contained in this exposed database could be used as a working list for bad actors in an email to TechRadar Pro, saying:
“With all of the supply chain issues we are facing now, it’s very bad timing to expose detailed records on transportation companies and individual drivers. The COVID 19 pandemic has hit the transportation sector extremely hard and highlights how the industry needs to transform and modernize. This data leak contained multiple risks of how criminals could use the privileged information to identify targets and establish a position of trust with their victims. Credit and debt information will always be a valuable target for traditional crimes and identity theft, but there are also a range of scams or fraud that are specific to the transportation industry. Unfortunately, this database contained enough information that bad actors could potentially use as a working list.”