The database of TransCredit, a Florida-based business credit reporting agency for the transportation industry, has been discovered as misconfigured, allowing access without the use of passwords, potentially exposing the financial information of more than half a million of its US and Canadian clients.
IT security researchers with website building blog Website Planet first discovered the breach, noting that a total of 822,789 records were left exposed by the misconfigured database. Of that number, 600,000 were customers’ credit records.
Apart from credit records, other sensitive data that was potentially compromised include clients’ full names, tax ID numbers, email addresses, payment histories, banking information, Social Security Numbers, internal login IDs and passwords, and Employer Identification Numbers.
Website Planet sent TransCredit a disclosure notice regarding the potential breach; public access to the database was restricted shortly after the notice.
“This database contained enough information to create a range of highly targeted fraud or scams,” Website Planet indicated in a blog post. “Criminals armed with insider knowledge could potentially gain trust very easily and companies or individuals would be less suspicious when presented with verifying a tax ID or other data. This is social engineering when a criminal validates information and creates a position of trust for financial gain.”