Security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password protected database that contained 822,789 records. The dataset had detailed information on trucking, transport companies, and individual drivers. The data appeared to be connected to credit accounts, loans, repayment, and debt collections. This included banking information and tax ID numbers. Many of the Tax IDs were consistent with what appeared to be SSN (Social Security Numbers) and stored in plain text.
Upon further research there were multiple references including internal emails and usernames of a Florida based company called TransCredit. We immediately sent a responsible disclosure notice to TransCredit and public access was restricted shortly after. The records appeared to contain the data of trucking and transportation companies based in the United States and Canada.
According to their website: TransCredit utilizes robust data from a large network of aging providers to create our reports. Our DISC and Premier Credit Reports are the most comprehensive industry-specific credit reports available, displaying a unique credit score and payment trends. We provide dependable credit reports that you can access quickly to make informed decisions.
Here is what we have discovered:
- Total Records: 822,789
- Internal records that include customers first and last names, emails, bank information, Tax ID numbers that appear to be SSN and EIN (Employer Identification Number).
- These individuals could be at risk of a targeted social engineering attack using insider information.
- Detailed notes on collections, payment histories, new applicants, status and progress. References to “TransCredit” and “Transcore”
- Internal Passwords and login IDs / Usernames, account numbers. We can only assume that these could be used to access the user portal. (We do not circumvent password protections or attempt to validate user credentials for ethical reasons).
- Indices named:
- The files also show where data is stored and a blueprint of how the network operates from the back end. The database was at risk of a ransomware attack that would encrypt the data.
How TransCredit Works
The process is very similar to how an individual person has a traditional credit score in the United States. A credit score is a number that tries to identify a person’s creditworthiness and how likely that person will pay their bills and for individuals this score comes from one of the three major credit bureaus: Experian, TransUnion, and Equifax. In a very similar way, TransCredit created a “credit score” for the transportation industry that rates shippers and brokers and then assigns a risk assessment score that ranges from 0 to 99, with 0 being high risk and 99 being the lowest risk. Once they apply a scoring system it gives an idea of risk for both shipper, drivers, and transport companies. Some carriers rely on a scoring system and disqualify shippers with a poor rating. The records in this exposure contained information on individuals and companies and if they are making late payments, non-payment, bankruptcy, collections, and more on both companies and independent operators .
Risks to the Transportation Industry
The pandemic combined with a driver and labor shortage has caused major problems to the US supply chain. Even though you may not realize it, the transportation industry affects every American and Canadian consumer. When there is a break in the supply chain and goods can’t be delivered we see a spike in prices that people feel at the cash register or when shopping online. The current inflation spike is a consequence of supply constraints meeting very strong demands that can’t be fulfilled.
The real danger to transportation companies is fraud and scams. This database contained enough information to create a range of highly targeted fraud or scams. Criminals armed with insider knowledge could potentially gain trust very easily and companies or individuals would be less suspicious when presented with verifying a Tax ID or other data. This is social engineering when a criminal validates information and creates a position of trust for financial gain. This could be as easy as saying “I am calling about account number 1234 and Tax ID ending in 1234. We need you to update your payment information”.
Here are just a few of the most common scams affecting the transportation industry:
Department of Transportation (DOT). Criminals can claim there has been a violation and demand payments or their licenses will be suspended. No one wants to be on the wrong side of the law or slow down business operations so they will often pay.
Phishing is a problem in any industry, but in this case every account had an email address, phone number, name of the individual, and other potentially sensitive data. This would allow for a more targeted and dangerous method called “Spear Phishing”. It is estimated that businesses were scammed out of $1.7 billion in 2019 alone. The only real defence against phishing is awareness and due diligence of each and every transaction. Educating employees against providing information to anyone until they verify the person or business is who they say they are.
Factoring Scams involve a transportation company sending a request for an advance payment on invoices. These can be inflated prices or complete fraud for a service that will never be provided.
Repair invoice scams. It is estimated that maintenance and repair costs on a single truck can be as high as $15,000 per year. This is a large amount of money and a routine express for many transport companies. Repair invoices are a perfect target for criminals to catch a company off guard and once the payment is made that money is almost never returned.
The transportation industry is no stranger to scams, but this data exposure could have provided criminals with a gold mine of information that could then be used to target their victims. The only thing companies can do to prevent many types of fraud is to validate each and every payment or information request. The Transportation Services market in the U.S. was estimated to be $1.7 Trillion in 2020. Credit checks serve a valuable purpose by helping fleets avoid scams and brokerages that popup only to default on payments and take thousands of dollars in the process. Another problem is repeat offenders who set up a new business under a new name. The credit reports can identify these companies and individuals who pose a business risk.
Although there were many references to TransCredit inside the database and 600k “Credit Reports”, we did not receive a reply from anyone at TransCredit verifying if the data did indeed belong to them. It is not clear if this data was exposed by a contractor or a 3rd party who had access to these reports, or if this was in fact TransCredit’s internal database? There were also login records that contained emails structured as [email protected] Hypothetically these accounts could have been created by transport companies to check the scores and ratings of partners, drivers, or other industry contacts. The database provided insight into the scoring process and a behind the scenes look at credit scoring for the transportation industry.
We highly recommend that anyone in the transportation industry revisit your data protection policies, talk about scams and fraud awareness with your employees and team. Change passwords using unique and complex characters. Monitor transactions and monitor credit accounts for suspicious activity.
We do not download the data we discover due to the sensitive nature of the records and our ethical research methods. It is unclear how long the database was exposed or who else may have gained access to these potentially sensitive records that were accessible to anyone with an internet connection. It is also unclear if companies, individuals, or the authorities were notified of the data exposure as required by Florida law. Our primary goal is always data protection and ensuring that public access to these sensitive records are restricted as fast as possible. We are not implying any wrongdoing by TransCredit, their partners or affiliates, and we are highlighting our findings to raise awareness for cyber security education.