Nearly 32 Million Documents, Invoices, Contracts and Agreements Made Available Online by Global Field Service Management Provider

The non-password protected database contained 31,524,107 files with a total size of 2.68 TB. The exposed documents were in .PDF and .htm formats (.htm files are designed to be viewed in web browsers) and organized into folders by year and month. The documents dated back to 2012 and belonged to a large and diverse number of companies from a variety of industries. They included contracts, work orders, invoices, proposals, inspections, completion agreements, and other business-related data. Exposed business and personal data could potentially pose serious security and privacy concerns. After further investigation, I discovered that the documents belonged to ServiceBridge (by GPS Insight), a franchise management software for field service management, job dispatching, scheduling, and work order management. I immediately sent a responsible disclosure notice and the database became publicly unavailable shortly thereafter. I have not received a response to my report and it is unknown how long the database has been exposed or whether anyone else has gained access to the millions of documents. It’s unclear whether the database was managed by ServiceBridge or a third party. Only an internal forensic audit was able to identify suspicious activity, additional access, and a timeline of the exposure. It should be noted that while some files were marked with a GPS Insight logo, I did not see any fleet management documents. According to their website, the ServiceBridge platform is built to serve multiple industries, such as commercial/industrial services, pest and animal control, cleaning, landscaping, construction, and other services. The documents I saw listed a wide range of customers, from private homeowners, schools, and religious institutions to well-known restaurant chains, Las Vegas casinos, medical providers, and many others. Many of the exposed documents contained information that was not intended to be public. For example, some files contained PII such as names, physical addresses, email addresses, phone numbers, and partial credit card information. I also saw HIPAA patient consent forms and medical device agreements that identified individuals as patients, using their first and last names. Documents marked as “site audit reports” showed images of the interior and exterior of buildings or businesses. Several documents even contained access codes or other access information that could pose a potential physical security risk to property or individuals. In the limited sample of documents I analyzed, the majority appeared to be based in the U.S., but I also saw companies and customers from Canada, the U.K., and numerous European countries. The potential risks of invoice fraud are a double-edged sword that affects both business-to-customer (B2C) and business-to-business (B2B) transactions. Exposed invoices and internal company documents can potentially serve as a template for criminals to target victims using internal information that only the company and customer would know. This insider knowledge is likely to create a sense of trust, significantly increasing the likelihood of fraudulent activity being carried out. In 2022, it is estimated that a U.S. business will lose an average of $300,000 per year to invoice fraud and payment fraud. According to the report, a staggering one in four (25%) finance professionals do not fully understand how much this fraud is impacting their business. In 2023, it was reported that 52% of large businesses will experience some form of payment fraud. While large businesses typically have the revenue and resources to recover from invoice fraud more quickly, these scams can be devastating for small to medium-sized businesses and independent franchisees. Invoice fraud is a relatively low-tech crime that relies primarily on social engineering. It is important to be proactive and always exercise caution when processing invoices. I recommend that every business, no matter how large or small, take steps to train their accounts payable team to recognize common scams and take the necessary precautions when processing invoices. One of the easiest types of fraud to identify is invoices from an unknown vendor. Always keep accurate records of vendors, contractors, and customers to verify that payment requests are legitimate. Paying invoices on time is important to any business, and criminals take advantage of the need for prompt payments. If there is anything suspicious about an invoice, I recommend holding payment until the information is verified. Customers should also be vigilant when contacted by companies they have used in the past asking for additional information or unexpected payment requests. I am not suggesting that ServiceBridge users or their end customers are at risk of invoice or other forms of fraud. I am simply presenting a realistic risk scenario of how the exposure of these types of documents could be used by criminals for nefarious purposes.
When applications use or transmit documents or images, those files need to be stored somewhere and accessible to the application on demand. Often, these documents are stored in one place and are not encrypted or password protected. End-to-end encryption comes with significant development costs and technology challenges, so many organizations choose to use a cloud storage repository and expose individual documents to applications or web browsers. These documents can easily identify the file path where they are stored. If the database is misconfigured and allows public access, this could create a scenario that exposes the entire data set. It is important for software developers to segment potentially sensitive data, use encryption, implement access controls for cloud storage databases, and ensure that applications transmit documents securely. I am not suggesting that this is how the ServiceBridge technology or application works in practice, I am merely providing a hypothetical risk scenario based on my previous research into application-based data exposures.
I do not imply any negligence, wrongdoing, or misconduct on the part of ServiceBridge or GPS Insight, nor do I claim that any companies, customers, or documents were ever compromised or compromised. It is not known how long the database was exposed and publicly accessible, or whether anyone else had access to the non-password protected documents. As an ethical cybersecurity researcher, I do not download or extract the data I discover; I only take a limited number of redacted screenshots for validation and reporting purposes. I publish my findings to raise awareness of important cybersecurity issues and promote best practices in data protection.