An unsecured database was discovered containing 822 thousand records including 600,000 credit reports related to the transportation industry in the United States and Canada.
Security researcher Jeremiah Fowler along with the Website Planet research team found the database containing detailed information on trucking, carriers and even individual drivers.
The data itself appears to be related to credit, loan, and repayment accounts, and debt collection and includes bank information and tax ID numbers. However, many of the tax IDs were compatible with what appeared to be Social Security Numbers (SSNs) and were stored in plain text.
Upon further investigation, Fowler and the Website Planet research team found multiple references as well as internal emails and usernames of Florida-based TransCredit. Just as Experian, TransUnion, and Equifax provide consumer credit scores, TransCredit has created a “credit score” for the transportation industry that rates shippers and brokers and assigns a risk rating score from 0 to 99.
According to a new report, records stored in an insecure database can give an attacker an overview of a carrier or an entire independent company as they include information regarding late payments, non-payment, bankruptcy, collection, and more.
Fraud and fraud potential
Although Fowler and the Website Planet research team sent an official disclosure notice to TransCredit upon discovery and public access to the database was restricted shortly after, cybercriminals and other hackers could download its contents while it was not password protected.
While the pandemic has already led to driver and labor shortages, carriers may now be at risk of scams and other frauds. This is because the database contains enough information for an attacker to design believable phishing campaigns as well as tax and correctional billing frauds. Including tax ID data can also be used by cybercriminals to build trust with potential victims using social engineering.
Although there are numerous references to TransCredit within the now-secured database, Fowler and the Website Planet research team did not receive a response from anyone in the company verifying that the data actually belonged to them. This means that the data may have been disclosed by a contractor or third party who had access to the respective reports.
The only thing companies and independent contractors whose information has been disclosed can do to protect themselves from fraud and fraud is to verify the authenticity of each payment or information request. Fortunately, since the database was quickly secured, it is possible that its contents were not downloaded by anyone else for nefarious purposes.
Fowler offered more ideas on how to use the data in this exposed database as a worklist for bad actors in an email to Tikradar Pro, saying:
“With all the supply chain issues we are facing right now, it is a very bad timing to release detailed records on individual carriers and drivers. The COVID 19 pandemic has hit the transportation sector hard and highlights how the industry needs to transform and modernize. This data leak contained multiple risks related to how the use of Criminals privilege information to set targets and establish a trust center with their victims.Credit and debt information will always be a valuable target for traditional crime and identity theft, but there is also a host of fraud or fraud specific to the transportation industry.Unfortunately, this database contains enough information that perpetrators can use The bad as a to-do list”.