InHouse Physicians, an Illinois-based healthcare provider that offers on-site medical services and wellness programs to organizations, was leaking sensitive data online via an unprotected database that was available to anyone who knew where to look.
A report from Website Planet and cybersecurity researcher Jeremiah Fowler recently found a non-password-protected database containing 148,000 records belonging to the healthcare company.
The archive contained people’s full names, their phone numbers, and whether or not they were cleared to enter an event, or tested positive for Covid-19 and denied entry. The entire database was 12GB heavy, and was locked down soon after Fowler reached out.
SIM-swapping and identity theft
“In the publicly exposed PDF files, I saw information indicating statuses of attendees for a wide range of events such as investor forums, family planning services, and other potentially sensitive sectors that could be high-value targets for cyber criminals,” Fowler explained.
While exposing “just” names and phone numbers might not sound like much, it’s more than enough for skilled cybercriminals. Fowler said he used free search engine and open source tools available to the general public and fed them the obtained information. They returned further identification details, helping him create an even bigger profile of potential targets.
Furthermore, knowing a person’s phone number opens them up for potential SIM-swapping attacks, which are often used to bypass multi-factor authentication and access high-value accounts such as banking, social media, or business platforms.
Unsecured databases remain one of the most common and most destructive causes of data leaks. For example, in mid-April 2024, taxi firm iCabbi exposed sensitive information on more than 300,000 taxi passengers in the UK and Ireland. This database was also discovered by Fowler, who confirmed it contained more than 20,000 records, and included Personally Identifiable Information (PII) such as names, emails, and phone numbers.