Hypothetically, if you, a criminal, wanted to steal millions of dollars from a corporation, one place to start might be figuring out who it owes money to. Does it pay rent on any of its offices? How often does it make payments on the expensive software or equipment it leases? Which overworked account executive handles these payments and what would it take for her—eager to get home to her three kids after a long week—to accidentally authorize payment to you instead of the accounts she manages?
While the kinds of information required to pull off this type of social engineering attack are typically guarded behind corporate firewalls, British cybersecurity firm TurgenSec discovered that a database of precisely this type of data was left completely open, visible to any hacker with a web browser who took the time to look.
The database, which belongs to lease management software from a company called LeaseSolution, contains 6 million database entries detailing confidential business information from nine companies including Samsung and Rolls-Royce, according to TurgenSec researchers.
The database appears to have now been taken offline. While LeaseSolution did not respond to Gizmodo’s request for comment, Link Group, the sole distributor of the LS2 software, emailed Gizmodo this statement:
“Link Group was made aware of a vulnerability relating to the LeaseSolutions’ LS2 platform. We take our obligation to protect data extremely seriously and ensured LeaseSolutions took immediate action to address the vulnerability. Link continues to act in accordance with its legal and regulatory requirements.”
We have reached out to Samsung and Rolls-Royce and will update when we hear back.
Following TurgenSec’s discovery, UK-based LeaseSolution’s website was unviewable on Friday due to an “error establishing a database connection.” Over the weekend, however, it appears that the company has updated and redesigned it to foreground security—ironically, web traffic to the site remains unencrypted. In marketing material, the software, known as LS2, is presented as a secure environment to keep track of documentation and payments throughout the entire lifetime of a given lease. For instance, a company like Rolls-Royce might use LS2 to keep track of the airplane engines that they have leased to an airline.
While the exposed data is limited to the corporate clients of the companies using this software, a system like LS2 is predicated on storing sensitive information about lessees. According to TurgenSec, each of the 6 million rows of data potential included more than 300 data headers including phone numbers, email addresses, job titles, links to other databases, and more. Perhaps more interestingly, the breached data included assets that a client had leased – office buildings, industrial machinery, corporate jets.
Under UK law, LeaseSolution is required to notify the Information Commissioner’s Office of any data breach within 48 hours of being notified. While TurgenSec said it notified LeaseSolution of its discovery on April 15, it’s unclear whether the ICO has been notified. ICO did not immediately respond to our request for comment.
Admittedly, a breach in a “lease management” database doesn’t conjure particularly glamorous images of high-intensity cyber heists. However, it’s often these types of mundane or overlooked software that contain the most valuable information for criminals. Last week, for example, Gizmodo reported that hundreds of thousands of faxes were left public on unsecured databases, exposing Social Security numbers, bank information, and more sensitive personal information. It’s a frustrating reminder that even if you do everything right with your security, someone else’s fuckup can still come back to get you.
11:26: Updated with statement from Link Group.