- Rockerbox held an open database online in an unknown period
- The database contained ID card numbers and other important information
- After its discovery it has now been locked down
A tax credit consultant exposed unintentionally sensitive data about thousands of its customers by allegedly keeping a database filled with personally identifiable information (PII) open on the public Internet.
It was discovered by Jeremiah Fowler, a cybersecurity scientist and analyst known for hunting for non-encrypted and non-passport-protected databases, and in a new VPNmentor report, Fowler said he found an archive of a total size of 286.9 GB containing 245,949 items.
“In a limited sampling of the exposed documents, I saw files that detailed PII as names, physical addresses, E -email addresses, DOB and SSN in plain text,” Fowler explained. “There were also a driver’s license, identification cards, SSN cards, work options tax credit documents that included employment and salary information and determination letters with acceptance or denial of eligibility.”
Rockerbox delicious
In addition, he observed DD214 forms – release certificates or discharge from active service, issued by the US Department of Defense to veterans and similar military staff. There were also password-protected PDF files labeled as “forms”, with file names containing PII as employer names, and applicant and last names.
Fowler attributed to the database of a Texas-based company called Rockerbox, a tax credit consultant organization that helps companies increase their cash flow by identifying and managing employer-focused tax incentives through programs such as Work Opportunity Credit (WOTC), Employee Conservation Tax Credit (ERTC), F & UKredit and EMPOWERMENT Credits.
After reaching the Rockerbox, the company closed the archive in a few days, but allegedly never responded to the researcher.
Therefore, we do not know if the company administers this database or whether this work was handled by a third party or about any threat actors achieved it in the past, but at press time there was no evidence of abuse of wild.
