2.6 Million Towing, Storage, and Auction documents From 25 States Exposed In Data Breach

Jeremiah Fowler April 22, 2024

April 22, 2024

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained 2.6 million documents related to towing, storage, and auction records from 25 states. The records belonged to Dallas-based Traxero, a technology provider for the towing industry. The exposed records provided a behind-the-scenes view of costs, seizures, and sales of automobiles that have been towed.

The publicly exposed database contained documents such as invoices, certified mail notices, liens, auction or sale dates, and internal application files. Upon further research, it was identified that the documents belonged to Traxero, a Texas-based technology company that provides digital dispatching, impound yard management, and auction software. I immediately sent a responsible disclosure notice to Traxero, and public access to the database was restricted the following day. It is not known how long the data was exposed or who else may have accessed the documents, only an internal cyber forensic audit could identify this information. Traxero acted fast and professionally to secure the database and replied thanking me for my notification.

“We have been working with various third parties to review and validate our actions. To clarify, we immediately secured the database containing the set of pdf and text files that you noted. The Dispatch Anywhere application was meant to be accessible for download to our customers’ desktops.”

The database contained 2,634,753 records, organized in various folders, with a total size of 488 GB. For instance, a folder named “vehicle documentation” contained 816,700 documents with a total size of 180.62 GB. Another folder had 542,442 certified mail documents (as .PDF files) that totaled 248 GB, making it the largest folder in the database. Many of the exposed certified mail documents contained lists of multiple recipients. One single document included over 700+ final notices that the vehicles would be auctioned or destroyed by an individual towing company. These notices contained PII (such as names and addresses), vehicle data, amount owed, invoice or reference numbers, and more. Certified mail is a postal service that provides proof of mailing, with the sender receiving a mailing receipt and the recipient’s signature upon delivery.

I saw documents pertaining to towing companies in 25 states including: Alabama, Arkansas, California, Colorado, Delaware, Florida, Iowa, Illinois, Louisiana, Massachusetts, Maryland, Missouri, Mississippi, North Dakota, New Jersey, Nevada, New York, Ohio, South Carolina, Tennessee, Texas, Virginia, Washington, and Wisconsin.

Picture1 1 — This screenshot shows a notice of a lien and sale of a vehicle for $16,425.00. The Kelly Blue Book (a database for determining the market value of used and new cars) value of this car in fair condition is $4,000.

Picture2 1713759140 — This screenshot shows recipients from certified postal notices sent to vehicle owners. These notices were sent by towing companies using Traxero’s mail management tool.

Picture3 1713759150 — This screenshot shows a notice sent to a car owner indicating a towing fee of $1,350, labor fee of $450, mileage fee of $270, and an $85 admin fee. The total cost (including storage) was $5,055.

Picture4 1713759160 — This screenshot shows a mechanics & storage lien for a 1996 vehicle with the total charges of $4,765.

Picture5 1713759170 — This screenshot shows how the folders appeared in the exposed database. The information stored included car history reports, mail documents, vehicle documentation, and more.

Picture6 1713759179 — This screenshot shows a letter sent to a Title Loan company as a lien holder and notifying them that the car is in storage and incurring a rate of $75 per day.

Picture7 1713759189 — This screenshot shows package files for the Dispatch Anywhere application.

❮❯

The database also contained multiple .nupkg files. The NuGet package file is used primarily in the Microsoft .NET ecosystem for packaging and distributing software libraries and components. There are potential risks associated with a .nupkg file data exposure, including a code or malware injection. Hypothetically, criminals could inject malware into the package, which could potentially lead to unauthorized access or data theft. Another potential risk is that the user’s system could also be compromised after installing manipulated code files. Although I did not analyze the exposed .nupkg files, they may sometimes contain additional information such as API keys, passwords, or configuration details that are embedded within the package’s code or metadata, leading to further potential risks. I am not saying that Traxero was at risk of a code injection or that the package files were manipulated or contained sensitive information. I am only providing a real-world hypothetical example for educational purposes of potential risks when there is a public exposure of internal package or development files.

Exposed invoices that contain PII of customers, VIN numbers, license plate numbers, and other details pose numerous potential risks — especially if they show a current outstanding debt. Hypothetically, criminals could contact the victim using internal details from the invoice, lien, or sale notice and offer the victim a discounted settlement. As an example, let’s say an individual owes thousands of dollars, and a criminal contacts them posing as a tow company employee. The criminal then offers a once-in-a-lifetime deal: to return their vehicle and settle the debt for much less than the outstanding amount as long as they make the payment now. The criminal would know dates, amount owed, personal details, invoice or account numbers and more. When provided with this information, the victim would have no reason to suspect the offer is not legitimate and could send money to the criminal or provide them with credit or banking information. I am not saying towing customers are imminently at risk of this type of fraud; I am only providing an example of a possible tactic that could be used.

Behind the Scenes of the Towing Industry

There are a wide range of reasons why vehicles are towed, including auto accidents, law enforcement requests, illegal or unauthorized parking, mechanical problems, and more. The towing industry in the US has an estimated market size of $11 billion. In 2022, there were around 47,618 towing businesses employing 113,885 people across the country. It is one of the rare sectors of the US economy that is not dominated by major players and no single company controls more than 5% of the market share. This leaves a patchwork of local and regional towing companies. It also appears that there is no real industry standard for setting prices for towing services.In general, government oversight is limited and varies from state to state.

I saw numerous documents showing outstanding balances that totaled many thousands of dollars, including notifications that the automobiles would be sold or destroyed if the bill was not paid by a certain date. When a low-income individual has their vehicle towed, they may not have the resources to immediately pay the towing and storage costs, which increase daily. Having their vehicle impounded can quickly lead to the permanent loss of their property, defaulting on bank loans if the car is financed, damage to credit scores, and the loss of transportation. A survey conducted in 2022 found that 47% of Americans couldn’t pay $500 or more if they encountered an emergency situation. According to the documents I saw in the database, the towing company can legally sell the vehicle and still require the owner to pay the towing and storage debt — even if the vehicle was sold for more than the debt. This effectively leaves the customer without their car and with a substantial debt. I saw many documents indicating the towing and storage fees were higher than the value of the vehicle.

The towing industry has long since come under scrutiny for what consumer rights advocates consider excessive towing charges and costly storage fees. Some states regulate how much towing companies can charge while other states have basically no regulations or oversight. According to 2024 statistics, the national average cost for a 40-mile tow ranges from $125 to $250. However, I saw one invoice where the towing fee was $1,300 then there were additional fees of $450 for labor, $270 for mileage, $85 for an administration fee, and $100 per day for storage.

It is important to clarify that Traxero is the technology service provider and doesn’t determine the terms, fees, or business practices for individual towing companies using their services. However, it was a very eye opening experience to see these exposed internal documents and have a behind-the-scenes view of how the towing industry operates and the fees charged for their services.

I also saw a considerable number of letters addressed to lien holders in the database. When it comes to vehicle ownership, you have the registered owner (who uses and drives the car) and then you have the lien holder — which may be a bank, credit union, or finance company that holds the legal title of ownership and collects payments from the registered owner. Given that the towing companies can hold and sell the car if the towing and storage fees are not paid, I was curious about the manner in which towing companies could sell the vehicle without the authorization of the legal lien holder. To get a better understanding of this issue, I made several phone calls on a no-names basis to towing companies. In general terms, my question was “How does the selling process work when the registered owner of the vehicle has an additional lien from a title loan company, bank, or other financial institution?” A representative from a towing company said that although they have legal rights to sell the vehicle, sometimes the lien holder will not provide them with the title to sell it. When this happens, they send the lien holder and title owner a series of letters that the lien holder has to reply to. If the lien holder does not follow the steps and settle the towing company’s claim, a statute of limitations expires. Once this happens, the state will issue a title of ownership to the towing company so they can legally sell the vehicle. Post-sale, the original registered owner will be responsible for paying the towing company fees, in addition to repaying the full amount of the loan for the vehicle to the loan issuer or lien holder.

As an ethical security researcher, I never download the data I discover even when the files are publicly available to anyone with an internet connection. I publish my findings for educational purposes, data protection, and cyber security awareness. I imply no wrongdoing by Traxero or their customers. I am not saying there is any imminent risk to customers or individuals who may have used the towing services or to companies that use Traxero technology. It is not known if anyone else had access to the database or how long the data was exposed. As a general rule, I recommend that any suspicious communication or requests from a company that may have been involved in a data exposure be verified to ensure that they are legitimate. Always use official communication channels and stay vigilant when providing personal or financial information over the phone or by email.