[BreachExchange] Data Breach Report: RigUp Exposes More Than 70, 000 Private Files

Mon Apr 13 10:23:10 EDT 2020

https://www.securitymagazine.com/articles/92098-data-breach-report-rigup-exposes-more-than-70000-private-files

Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently
discovered a breached database belonging to American software company
RigUp, containing more than 70,000 private files belonging to its US
energy sector clients.

RigUp, founded in 2014, is a labor marketplace and services provider
built for the US energy sector, with clients across the country.
According to the report, since 2014, RigUp has grown to provide
additional services covering many aspects of energy company operations
and is now considered the largest online marketplace and labor
provider in the US energy sector, and in 2019 secured $300 million of
investment, based on a $1.9 billion valuation.

The breached database contained more than 70,000 private files
belonging to companies and individuals using RigUp’s platform, note
the researchers. Had it been discovered by malicious hackers, or
leaked to the general public, warn the researchers, the impact on
RigUp, its clients, and 1,000s of energy workers across the USA could
have been devastating.

The exposed database was an Amazon Web Services (AWS) S3 bucket,
labeled “ru”, says the report, and many of the files contained within
included RigUp’s name. Based on this, the vpnMentor team was quickly
able to confirm the company as the database’s owner.

The vpnMentor team commends RigUp for responding positively to their
disclosure, "especially at a time when it must be experiencing
considerable disruption, due to the coronavirus pandemic," write the
researchers. The company took full responsibility for the leak and
guaranteed a root cause analysis would be conducted.

Example of Entries in the Database

According to the researchers, the exposed S3 bucket was a live
database, with more than 76,000 files exposed, amounting to more than
100GB of data, dating from July 2018 to March 2020.

It appears the database was a ‘file dump’ used by RigUp to store
various kinds of files belonging to its clients, contractors, job
seekers, and candidates for employment. The human resources files
being leaked included:

Employee and candidate resumes
Personal photos, including some private family photos
Paperwork and IDs related to insurance policies and plans
Professional IDs
Profile photos, including US military personnel
Scans of professional certificates in different fields

These files contained considerable Personally Identifiable Information
(PII) data for the people affected, including:

Full contact details: names, address, phone numbers, home addresses
Social Security information
Dates of birth
Insurance policy and tax numbers
Personal photos
Further information relating to education, professional experience,
personal lives