Rockerbox kept an open database online for an unknown period

The database contained ID card numbers and other vital information

Following its discovery, it has now been locked down

A tax credit consulting agency inadvertently exposed sensitive data on thousands of its customers by allegedly keeping a database filled with personally identifiable information (PII) open on the public internet.

It was discovered by Jeremiah Fowler, a cybersecurity researcher and analyst known for hunting for unencrypted and non-password-protected databases, and in a new vpnMentor report, Fowler said he found an archive with a total size of 286.9 GB, containing 245,949 records.

“In a limited sampling of the exposed documents, I saw files that detailed PII such as names, physical addresses, email addresses, DOB, and SSN in plain text,” Fowler explained. “There were also driver’s licenses, identification cards, SSN cards, work opportunity tax credit documents that included employment and salary information, and determination letters with acceptance or denials of eligibility.”

Rockerbox leaks

Furthermore, he observed DD214 forms - Certificates of Release or Discharge from Active Duty, issued by the US Department of Defense to veterans and similar military personnel. There were also password-protected PDF files labeled as “forms”, with file names containing PII such as employer names, and applicant first and last names.

Fowler attributed the database to a Texas-based company called Rockerbox, a tax credit consulting organization helping businesses increase their cash flow by identifying and managing employer-focused tax incentives through programs like the Work Opportunity Tax Credit (WOTC), Employee Retention Tax Credit (ERTC), R&D credits, and Empowerment Zone credits.

After reaching out to Rockerbox, the company closed down the archive in a matter of days, but allegedly never replied back to the researcher.

Therefore, we don’t know if the company manages this database, or if that work was handled by a third party - or if any threat actors obtained it in the past, but at press time, there was no evidence about in-the-wild abuse.

