A significant amount of private business and personal records has been left vulnerable online after a sensitive database associated with the invoicing and billing platform Invoicely was found unprotected by password or encryption. The exposure of this information raises serious concerns about data security and privacy.
The database was initially discovered by cybersecurity researcher Jeremiah Fowler, who reported that it contained approximately 180,000 files featuring sensitive data pertaining to clients, partners, and employees globally. This incident underscores the critical nature of securing personal information in an increasingly digital business landscape.
Vienna-based Invoicely, a service provided by Stack Holdings GmbH, is known for its cloud-based solutions assisting businesses with estimate creation, billing management, sending payment reminders, and tracking metrics such as time and vehicle mileage. Apparently, it serves over 250,000 businesses worldwide, further amplifying the impact of this breach.
Details of the Breach
The compromised database contained exactly 178,519 files, including invoices, tax forms, check images, and banking information in widely used formats like CSV and PDF. Notably, it also included Personally Identifiable Information (PII)—names, physical addresses, phone numbers, and tax identification numbers, as well as sensitive documents like airline tickets and medical payment receipts. The volume and nature of this data significantly heighten the risks associated with such an exposure.
Risk Implications of Data Exposure
The ramifications of such data exposure are dire, with heightened risks for identity theft and financial fraud. Access to names, addresses, and banking information arms cybercriminals with the tools necessary for executing targeted attacks, including spear-phishing campaigns that can manipulate individuals and businesses alike.
Moreover, the presence of invoices in the exposed dataset presents an opportunity for invoice fraud, where malicious actors deceive companies into processing fake payments. A recent study from the AFP Payments Fraud and Control Survey revealed that 80% of organizations fell victim to some form of invoice fraud in 2023 alone.
This breach reinforces the importance of employing robust encryption measures to safeguard sensitive data, making it “extremely difficult to access without the correct credentials,” even in the event of a security issue. Following responsible disclosure practices, the database was swiftly taken offline once the researcher alerted the company.
Yet, uncertainties remain regarding whether the database was directly managed by Invoicely or a third-party contractor. The duration the information was publicly accessible and whether unauthorized individuals accessed the data also remain unanswered. In light of this incident, users are strongly encouraged to implement multi-factor authentication and refrain from password reuse to heighten their security posture.
