According to cybersecurity researcher Jeremiah Fowler, hundreds of thousands of personal documents were left in an unprotected database that could be accessed by anyone who knew where to look.
Talking toWebsitePlanetFowler explained how he discovered that the database belongs to FleetPanda, a cloud-based fleet management and dispatching software designed to streamline fuel distribution.
The platform offers real-time tracking, automated order management and seamless integration with various back-office systems.
FleetPanda responds
The company maintained an unpassword-protected database of 780,191 documents, totaling 193GB in size. It contained numerous .PDF, .JPG, and other files, which contained information about fuel and petroleum shipments to and from various companies, industries, and even pipelines. Other files included invoices, delivery notes, as well as driver applications, high-resolution images of driver’s licenses, and background checks that contained personally identifiable information (PII).
The files were generated between 2019 and August 2024 and were listed as cache files. The invoices also contained billing and delivery information such as invoice to, delivered to, delivered by, ticket, PO or order numbers, truck numbers, and other internal identifiers or tracking information.
Fowler said he reported his findings to FleetPanda, which locked the database a few days later — without saying a word. As a result, we don’t know how long the database remained unlocked, whether a third party controlled it, or whether anyone had access to its contents before Fowler did.
We have contacted the company with these questions and will update the article accordingly.
With most businesses now being “data businesses” and the ubiquity of cloud computing, most businesses are storing their data in cloud storage. As a result, unprotected databases remain one of the most common causes of data breaches.