Security Researchers from Website Planet found, that an UK Tax Relief Company Exposes Customers’ Personal Information due to a misconfigured web server. Here are a few details about this Data Leak.
I got the information during the weekend, that the Website Planet security team identified – as part of conducting routine server scans for potential vulnerabilities – a misconfigured web server belonging to Marriage Tax Allowance Ltd, a UK-based company specialising in recovering marriage tax allowance funds for clients.
(Security, Source: Pexels free use)
Due to a lack of security measures, they left the directory listing enabled for public view, exposing their customers’ information such as the couples’ full names, full home address and refund amount. The team found over 100,000 files totaling approximately 5GB of data affecting >100,000 people on this server.
Marriage Tax Allowance Ltd misconfigured its WordPress content management system (CMS), thereby leaving the directory listing enabled for public view. This allowed anyone to browse the entire list of files stored on the website. More specifically, letters to customers, containing customer information, were written to the same directories. The vulnerability meant that anyone attempting to access the company’s directory listing could have done so without encountering basic security measures such as password protection.
Accessing the correct URL allowed users to access the full pipedrive database. All the exposed data was contained in .PDF files and included Personally Identifiable Information (PII) such as:
- Applicant’s full name
- Applicant’s gender
- Full Home address
- Partner’s full name
- Partner’s gender
- Refund amount customers could request
The lack of adequate security meant the company allowed hundreds of thousands of PDF files showing customers’ personal information to become exposed. According to the research team, each customer, or couple, had two files associated with them – one document showing each couple’s details and a further “thank you” document, kept on record to inform the applicants that their submission was approved (and that they would be receiving a refund).
PDF scan showing customer personal information and estimated refund amount
PDF scan showing customer application form including personal information
More details about the data leak, the the risks of leaving such information exposed etc. may be found on the Website Planet report.
Cookies helps to fund this blog: Cookie settings