Unprotected database leaks 700,000 docs from Aussie smoke alarm servicer online

Poor security policies, storage misconfigurations, and human error can lead to the unintentional exposure of sensitive or confidential information.

Cybersecurity researcher Jeremiah Fowler recently stumbled upon a non-password-protected database that exposed over 700,000 documents from Australia’s leading smoke alarm installation and maintenance service online.

According to Fowler’s analysis, the data included 107 GB of files and documents from Smoke Alarm Solutions, including:

• 355,384 invoices dated 2021-2024 containing customer personally identifiable information
• Documents containing records of inspections, estimates, compliance reports, electrical safety inspections, service quotes, and service reports

Source: vpnMentor

Following the discovery of the unprotected database, Fowler sent a responsible disclosure notice to inform the company of the leak, to which the company replied:

“We are aware of this data store. Its state is the unfortunate side effect of some work by a previous system integrator. We are actively migrating to a new customer management platform. We will block all access (or more likely, decommission) this data store as soon as we have migrated the data to our new platform”

Despite the disclosure, the researcher said the records remained accessible for about two months before the company restricted access.

All leaky databases come with privacy risks. In this case, if malicious actors had accessed and stolen the information, they could have unleashed highly convincing and targeted social engineering schemes against customers and technicians.

“Hypothetically, criminals could contact the property owner and reference the locations of alarms, installation date, invoice numbers, subscription plans, name of the technician, inspector, and other internal details to gain access to the property for criminal activities,” Fowler warned. “Another potential risk would be the alteration of an invoice to falsely claim there is an outstanding payment due and attempt to receive money, credit card data, or banking information.”

Now, while there is no evidence of misuse or that cybercriminals accessed and exfiltrated records from the company, the researcher urges customers to stay vigilant and adopt healthy cyber habits:

• Verify all unexpected communications related to any business conducted with a smoke alarm servicer.
• Never share financial or sensitive information via unsolicited correspondence, such as email, text or phone calls
• Look for signs of scams in any communication, including urgency, demand for immediate action, threatening language, poor grammar and requests for credit card info, passwords or other personal info.

Pro tip:

Chat with Scamio, our AI-powered scam detector, online, via Facebook Messenger or WhatsApp. To receive recommendations and thwart security threats, just describe the details of a possible scam, copy-paste links, or upload screenshots and QR codes.

How can you improve your online security and defend against data leaks and scams exploiting exposed data?

At Bitdefender, we put your security and online privacy above all else. On top of our award-winning security solutions to protect your devices against all phishing to fraudulent websites, opt for Bitdefender’s Digital Identity Protection service so you can stay on top of data breaches and leaks that can impact your identity and security.

Our dedicated identity protection service offers 24/7 alerts, a complete overview of your online footprint, and the industry's first Identity Protection Score, which helps you quickly understand the extent of a data breach and how it can impact your online safety, privacy and finances.