Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet a non-password protected database that contained over a million customer records. Upon further investigation, it was identified that these records were customers’ order confirmations that belonged to SimpleTire, based in Philadelphia, Pennsylvania. The exposed order confirmations included the customer’s name, phone number, physical address and partial credit card number with expiration dates.
When the open server was discovered, I immediately sent a responsible disclosure notice to several email addresses at SimpleTire, stating that the database was publicly accessible to anyone with an internet connection. Despite multiple email notices, the database remained open and publicly accessible for more than 3 weeks after my discovery. The database contained more than just receipts and had references to the installers’ information, return requests, wholesale pricing records, and what appeared to be images used on the website and in email communications. I did not receive a reply to my responsible disclosure notices, a few days later public access to the database was fully restricted and was no longer accessible.
According to their website, SimpleTire offers over 55 million tires, 10,000+ installation centers, and more than 300 brands of tires. In an undated press release, Inc. Magazine’s Inc. 5000 named SimpleTire the fastest-growing automotive brand in America.
Exposed credit card data, along with other personal information, could potentially be used by thieves to make unauthorized transactions, in identity theft, phishing and social engineering attacks, and more.
What the database contained
Total records exposed: 2,808,697 with a size of 1TB.
1,189,151 order confirmation records in PDF format that contained the personally identifiable information (PII) of customers and details of their orders, including partial credit card numbers and expiration dates.
Wholesale information, references to authorized installers, refund requests, sales and promotion images, and more.
This screenshot shows how the customer receipts appeared in the database with customer information in plain text.
This screenshot shows a customer’s tire order that will be shipped directly to the service center with instructions for the appointment.
This screenshot indicates that the database contained much more than customer receipts.❮❯
×
The risk of exposing credit card data
Nearly all of the first 6 digit credit card Issuer Identification Numbers (IIN) can be found online. When combined with the known last 4 digits this would mean that criminals would know at least 10 of the total 16 credit card number digits. Having this information leaves only 6 numbers to guess, and the odds of successfully sequencing those unknown numbers is significantly higher. According to the Wikipedia article on software cracking, a 7-digit code could be solved in 31 seconds, while one with 6 or fewer characters could be cracked almost instantly.
In this case the customer’s name, home address, and even the card’s expiration date was exposed making the risk even more serious than just guessing the missing numbers. This data exposure could be used in combination with previous hacks or leaks to cross-reference and easily identify the full card number. Unlike a simple card exposure the criminal would have additional information to create a full information profile on their victim. The full card number combined with the names, home addresses, expiration date, and other information taken from the order confirmations could pose a significant risk.
There is no shortage of recent leaks or hacks of credit card data that could be used to cross-reference partial card numbers to identify the missing numbers quickly and with almost no effort or contact with the card holder. Notable card breaches include The Home Depot (60 Million), Neiman Marcus (4.6 Million), and Target (40 million credit card numbers and personal details of 70 million customers). In March of this year, BidenCash, a dark web carding marketplace, released the full details of more than 2.1 million stolen credit card details for free. There have been many additional data breaches that have likely gone unreported, and there is always a risk that publicly exposed data could appear for sale on the dark web.
Social engineering attacks are also a threat when customer data is exposed. The criminal could contact the victim and claim to work for SimpleTire or one of the installers and advise the customer that they need to update their payment details. In this case, the criminal would have insider knowledge of the purchase, order confirmation numbers, and could verify the last 4 digits of the card number on file. Customers would have no reason to think the request for more information is not a legitimate call from a company they already have a business relationship with.
We are not implying any wrongdoing by SimpleTire, their installers, or partners. This report is published to raise awareness of cyber security best practices and highlight potential risks. After any data exposure customers should be on the lookout for any suspicious messages or calls and verify that the person they are talking to is indeed an employee or affiliated with SimpleTire. I highly recommend not providing credit card numbers, banking information, or social security numbers by phone. It is unclear how long the database was exposed or if anyone else gained access to the order confirmation and billing records. This is a wake-up call for any organization that collects and stores customer information to take all proper steps to restrict public access and encrypt documents that may contain sensitive information. I also advise that companies have a communication channel and data incident response protocol in place. This can greatly limit the amount of time sensitive information is exposed, reported to the company involved, and finally restricted from public view.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
So happy you liked it!
Share it with your friends!
Or review us on
3050747
50
5000
64933189
This page isn't yet translated into . If you wish to volunteer and translate it, please contact us using the contact us page
