Franchise Services, the parent company of a number of large print and design companies, said it is investigating claims that sensitive customer data stored by one of its franchisees is accessible online.
The data dates back to 2010 and ranges from sensitive health records belonging to a former professional athlete, private business and employment records for an adult retail chain, and paperwork related to a lawsuit involving an actress and a Hollywood studio. Also included in the cache of data are tens of thousands more sensitive documents belonging to lesser known clients.
MacKeeper Security Research Center said it discovered the data in October stored insecurely on the internet belonging to PIP Printing and Marketing Services, one of Franchise Services brands. More than three months later, Franchise Services is just now acknowledging being told of the vulnerable server by MacKeeper, despite repeated notification attempts.
“This appears to be an isolated incident involving one of our many franchise owners,” said Christian Lau, vice president, information technology for Franchise Services. “We are looking into what may have gone wrong.”
According to MacKeeper, more than 400 GB of sensitive data is publicly available and not protected by any means such as a password.
“We discovered a publicly exposed remote synchronization (rsync) service during our routine security check via Shodan public search API back in late October 2016, but since then there has been no development from the DB owners to secure the breach,” Bob Dyachenko, chief communication officer at MacKeeper, told Threatpost.
In a draft of a blog post provided to Threatpost, MacKeeper researchers said: “The most sensitive information is contained within the ‘Outlook archives’ and ‘Scans’ folders. These contain around 50+GB of scanned documents relating to court cases, medical records, well-known companies, and celebrities.”
Data appears to have been collected by the PIP franchise as part of an email-based print request service as well as documents that were scanned to be processed by an optical character recognition program.
“We have hundreds of franchise locations and they each have their own IT infrastructure,” Lau said.
According to MacKeeper, the data was found on a backup server that was using insecure backup protocols owned by a PIP Printing and Marketing Services franchise located in Van Nuys, California.
In December, MacKeeper identified a similar insecure backup server maintained by Ameriprise Financial. In that case, Social Security numbers, decryption keys and confidential internal company documents were also exposed.
MacKeeper estimates as much as 15 percent of synchronized backups use misconfigured protocols allowing public access from anywhere in the world.
“This is just another example of how exposed our digital lives have become, when even something as simple as printing documents can expose customers’ sensitive data,” MacKeeper researchers wrote.
Unknown is whether any of the unprotected data was accessed or copied by a third party besides MacKeeper.