A marketing agency advertising on Facebook and Instagram, specializing in campaigning for medical malpractice suits, has been hit with a significant data breach.
Security researchers vpnMentor discovered that almost 150,000 highly sensitive personal records from the databases of the agency, xSocialMedia media, have been leaked.
The database exposed, among others, the data of US military personnel injured in combat.
The injuries detailed in the exposed records “vary from combat injuries suffered by American veterans to injuries caused by medical devices, pesticide use, medication side-effects, and defective baby products,” vmnMentor said in a blog post.
The ad campaigns are meant to drive clients toward websites that would direct the victims toward legal assistance.
But xSocialMedia left the door wide open to anyone on the internet to view or download the data.
The kind of personal data that was gathered by the company and stored on its password-less database included real names, home and email addresses, phone numbers and IP addresses – and detailed sensitive medical data.
Exactly how sensitive this information is becomes obvious once you know that xSocialMedia gathered not only details of combat injuries, including where and when they happened, but also of the mental trauma they may had caused.
Among the data potentially exposed to anyone on the internet is that pertaining to the ad agency’s business itself: invoices, and their own bank account.
Nine days had passed between vpnMentor discovering the leak on June 2 2019, and xSocialMedia shutting down access to its servers.
xSocialMedia are not talking to vpnMentor, so it’s unclear at this time whether anyone has actually taken advantage of the vulnerabilities to access and download the data. If the answer is yes, the ad company will pay a high price.
On one hand, much of its current business could wind up in the hands of competitors, and on the other, the company’s reputation would be in tatters, especially among the law firms who are xSocialMedia’s prime clients, said vpnMentor.
All in all – not every data breach is as bad as the other, but it seems that this one resulting from xSocialMedia’s appalling security practices and the nature of the data involved can be filed in the “very, very bad” column.