Leaky database at kids’ recreation center in the US exposes families’ private information

A database belonging to Kids Empire, an operator of kids' recreational centers in the US, has been found leaking personally identifiable information (PII) about customers online.

The leaky database containing over 2.3 million PDF and PNG documents was discovered by vpnMentor’s cybersecurity researcher Jeremiah Fowler earlier this year.

Fowler explained in his report that the database was left in the open with no password protection and was publicly accessible for at least three weeks before the company restricted unauthorized access.

According to his analysis, 92.3 GB of data, including reservations, injury waivers and receipts with partial credit card numbers and transaction details alongside digital gift cards with no expiration date, source images for websites and templates were exposed.

These documents also held various PII, including names of parents and children, email addresses, phone numbers, home addresses, and details about the reservations.

“It is unclear how long the data was exposed or if anyone else may have had access to the non-password-protected database, as only an internal forensic audit could identify this information,” Fowler said. “Once the database was secured, Kids Empire representatives thanked me by email for my notification and indicated future steps they will take for data protection.”

Fowler’s report also offers insight into the risks should ill-intended individuals have accessed and exfiltrated the information.

He specifically warned of malicious individuals using the information to conduct highly convincing social engineering schemes against customers.

“One hypothetical example would be a criminal calling a customer and using internal information to pose as a Kids Empire employee,” Fowler explained. “They could say something like ‘I see you recently were at X location, and we want to offer you a refund of $X.XX to your card ending in #1234, can you please provide me with the rest of the number and the CVV security number on the back of the card?’”

This real-world example reminds us of the importance of safeguarding personal information and maintaining vigilance and proper cyber hygiene in the data breach era.

Are you worried about how data breaches and leaks can impact your privacy and security?

Use Bitdefender Digital Identity Protection to continuously monitor personal information and safeguard against data breaches. Our dedicated identity protection service allows you visualize your online footprint and shut down security and financial risks via 24/7 data breach monitoring and much more.