Server Misconfiguration at Fuel Industry Software Provider Exposes SSNs, PII Data


A server misconfiguration exposed a trove of documents belonging to FleetPanda, a leading petroleum and fuel industry software provider. Sensitive data including invoices, driver applications, and personal information was exposed. Learn about the potential risks and how to protect yourself.

A major server misconfiguration exposed nearly one million documents belonging to FleetPanda, a leading software provider serving the petroleum and fuel industry. The exposed data included sensitive information such as invoices, driver applications, license images, and background checks in.PDF, .jpg, and other image formats.

The incident was discovered by cybersecurity researcher Jeremiah Fowler, who reported the incident to WebsitePlanet. The exposed database, which was left unprotected without any password or security authentication, contained 780,191 documents with a size of 193 GB. The documents revealed shipments of fuel and petroleum to and from numerous companies, industries, and even pipelines.

Fowler also discovered documents containing fuel and petroleum shipments, invoices, delivery tickets, and other business-related records in folders from 2019 to August 2024 and linked to various states including delivery details from California, Oregon, Texas, Colorado, and Oklahoma. The files included drivers, licenses, stores, synctrucks, vehicles, and workers. 

Further probing according to WebsitePlanet’s report shared with Hackread.com ahead of publishing, revealed that the database contained potentially sensitive information, including high-resolution images of driver’s licenses and employment applications with SSN (Social Security Numbers) and PII. The exposed business records and personal data could raise security and privacy concerns. However, it is unclear whether FleetPanda managed the database or a third party.

For your information, FleetPanda is a California-based company providing dispatch management, driver app, reporting and analytics, invoicing, and other services to the petroleum and fuel industry. 

The exposure of sensitive data can lead to a wide range of risks. Personal information, such as social media and driver’s license details, can be used for identity theft, causing financial loss and reputation damage. Criminals can create fraudulent invoices using the exposed invoices and trick organizations into making unauthorized payments. 

The server misconfiguration could potentially disrupt the supply chain of the petroleum and fuel industry, leading to shortages and price increases. Moreover, the exposed data could be used to launch targeted cyberattacks against FleetPanda’s customers or other organizations in the industry.

For instance, a sample screenshot shows an invoice for 9,900 gallons of diesel fuel, valued at $41,000, due to the high retail cost of diesel fuel in the US. This high value of money could make the industry a potential target for criminals in the high-value market.

Fowler recommends organizations should store “important employee data separately from standard operating and business documents” like invoices. In addition, organizations should implement strong access controls, regularly update software and systems, educate employees on cybersecurity best practices, and monitor networks and systems for signs of unauthorized access or server misconfiguration to protect against such incidents.

  1. Data Leak Exposes Business Leaders and Top Celebrity Data
  2. 2 TB of ServiceBridge Data Exposed in Cloud Misconfiguration
  3. Unsecured Database Exposed 39 Million Sensitive Legal Records
  4. Millions of US Voter Data Exposed in 13 Misconfigured Databases
  5. Mexico’s Largest ERP Provider ClickBalance Exposes 769M Records
  6. Database Mess: Aussie Food Giant Patties Foods Leak Trove of Data





Source link