TransCredit is a Jacksonville, Florida-based business credit reporting agency for the transportation industry.

The IT security researchers at Website Planet discovered a misconfigured database that was owned by TransCredit, a Jacksonville, Florida-based business credit reporting agency for the transportation industry.

According to Website Planet’s Jeremiah Fowler, the database contained a treasure trove of sensitive financial and personal data of customers including trucking and transportation companies based in Canada and the United States.

What data was exposed?

In total, the misconfigured database exposed 822,789 records out of which 600,000 were customers’ credit records. Other exposed information included the following:

  1. Full names 
  2. Tax ID numbers
  3. Email addresses
  4. Payment histories
  5. Banking information
  6. Social Security Numbers (SSN)
  7. Internal login IDs and passwords
  8. EIN (Employer Identification Number)

And the list goes on…

TransCredit exposed financial data of half a million Americans and Canadians
One of the screenshots from the exposed database (Image credit: Website Planet)

Database exposed without password protection

According to Website Plant’s blog post, the worse part of the incident is that the database was left exposed to public access without any password or security authentication meaning anyone with knowledge of how to find misconfigured databases could have accessed the data.

Furthermore, the database was also at risk of being compromised by ransomware gangs who are known for encrypting exposed databases and demanding ransom in return. In 2020, 47% of online MongoDB databases were hacked by ransomware gangs. 

The real danger to transportation companies is fraud and scams. This database contained enough information to create a range of highly targeted fraud or scams. Criminals armed with insider knowledge could potentially gain trust very easily and companies or individuals would be less suspicious when presented with verifying a Tax ID or other data.

Jeremiah Fowler – Website Planet

Time period

Although it is unclear exactly when the database was exposed online or whether it was accessed by a third party with malicious intent, Website Planet told that its researchers discovered the misconfiguration on September 17th 2021. However, details of it were only shared recently.

The good news is that TransCredit was quick to respond and secured the database shortly after receiving an alert from Website Planet.

Posted by Charlie