Unprotected Database Belonging to an Ad Agency Has Exposed 150,000 Records of Injury Claims

• The submissions included personal health information, sensitive medical information, details of procedures, or the consumption of certain medications.
• The database also contained a list of more than 300 law firms who paid X Social Media, with detailed records of how much each law firm paid the ad company.

Security researchers Noam Rotem and Ran Locar uncovered an unprotected database belonging to an ad company ‘X Social Media’ that helps law firms sign up potential victims from specific conditions of harm and injuries who submit their information in the hope of receiving legal relief.

What information was exposed?

• The leaky database contained names, addresses, phone numbers, the date and time of a victim’s submission and the circumstances and explanation of their accident, injury or illness.
• The submissions included personal health information, sensitive medical information, details of procedures, or the consumption of certain medications.
• The database also included submissions from victims who suffered illnesses from pesticides or medications or experienced sexual abuse.
• The database also contained a list of more than 300 law firms who paid the X Social Media, with detailed records of how much each law firm paid the ad company.
• The database also contained the bank routing and account numbers of the ad company.

The response

The security researchers who found the leaky database notified the ad company, who responded immediately by taking the database offline. However, the company denied that it stored medical data, citing the findings as “inaccurate”.

“After being notified by TechCrunch about a security problems in MongoDB the X Social Media developer team immediately shut down the vulnerability create [sic] by a MongoDB database and did a night long log file review and we only found the two IP addresses, associated with TechCrunch accessing our database. Our log files show that nobody else accesses the database while in transit. We will continue to investigating this incident and work closely with state and Federal agencies as more information becomes available,” Malherbe, founder of X Social Media said.

However, when asked for the logs to verify the founder’s claims, the ad company declined.