Server with Rockerbox Tax Firm Data Exposed 286GB of Records

A data exposure has come to light at Rockerbox, a tax credit consultancy based in Texas, USA. Cybersecurity researcher Jeremiah Fowler recently uncovered a non-password-protected database highlighting a significant security lapse, the findings of which were reported by vpnMentor and shared with HackRead.com.

Rockerbox, identified as a tax credit consulting company, helps businesses across the United States identify and manage employer-focused tax incentives through programs like the Work Opportunity Tax Credit (WOTC), Employee Retention Tax Credit (ERTC), R&D credits, and Empowerment Zone credits.

The exposure involved an alarming 245,949 records, totalling 286.9 GB of data. This extensive dataset comprised various forms of personally identifiable information (PII), including full names, dates of birth (DOB), Social Security Numbers (SSN), and physical addresses.

For your information, PII is information that can identify an individual, directly or indirectly, while SSN is a unique nine-digit identifier used for tracking earnings and for various governmental purposes in the US.

According to Fowler’s report, the exposed records also contained sensitive identification documents such as driver’s licenses and DD214 forms, which are Certificates of Release or Discharge from Active Duty issued by the US Department of Defence, serving as official documentation of a veteran’s military service.

Furthermore, a wide array of employment and tax-related materials were compromised. This included applications for tax credit programs, alongside official acceptance or denial letters, often containing intricate financial and personal details. While some files were access-denied, many documents were readily available to anyone with internet access.

Even certain password-protected PDF files had their filenames exposed, revealing PII like employer and applicant names. Fowler highlighted a theoretical risk that numeric parts of these filenames could contain passwords, advising against embedding such data.

Rockerbox, known for aiding businesses across the US with tax incentives in sectors like restaurant and hospitality, healthcare, manufacturing, food processing, and skilled trades, now faces scrutiny over its data handling. The comprehensive exposure creates significant potential for targeted phishing attacks, identity theft, and financial fraud, as malicious actors could leverage this deep well of personal and financial information for illicit gain.

Fowler immediately notified Rockerbox, and the database was subsequently secured and restricted from public access several days later. However, no reply to his responsible disclosure notice was received. Also, it remains unknown if the database was directly managed by Rockerbox or a third-party contractor, how long it was exposed before discovery, or if other unauthorised parties gained access.

“For companies and organizations that collect and store potentially sensitive personal data in cloud storage repositories, it is important to implement the proper security measures to protect that information. This starts with access controls and limiting who (from both inside and outside of the organization) can see and manipulate which pieces of information,” Fowler concluded.