A leading Enterprise Resource Planning (ERP) company based in Mexico inadvertently left an unsecured database online, exposing sensitive information on hundreds of thousands of users. This was discovered by cybersecurity researcher Jeremiah Fowler, who reported his findings to Website Planet. According to Fowler, the database contained 769 million records and was accessible to anyone who knew where to look.
The exposed data included highly sensitive and personally identifiable information such as API keys, secret keys, bank account numbers, tax identification numbers, and email addresses. The database, which is 395GB in size, belongs to ClickBalance, a software provider that offers a range of cloud-based business services including administration automation, accounting, inventory, and payroll.
Website Planet describes ClickBalance as one of Mexico’s largest ERP technology providers. Upon discovering the database, Fowler immediately contacted ClickBalance, which secured the database within hours. However, it remains unclear whether any malicious actors accessed the data before it was secured or whether the data has been used in any malicious activities. Fowler emphasizes that only a comprehensive forensic investigation can determine the full extent of the exposure.
The exposure of tax identification numbers and bank account details poses significant risks, enabling cybercriminals to conduct fraudulent activities. The theft of active email addresses is particularly concerning, as it allows criminals to launch phishing attacks that can deliver malware and ransomware.
Despite the severe potential consequences, unsecured databases continue to be a common cause of data breaches. Many large enterprises and government organizations have been found with online databases lacking adequate protection. For instance, a previous incident resulted in the personal information of the entire Brazilian population being leaked.