A significant data exposure incident linked to Logezy, a UK-based software company was uncovered by cybersecurity researcher Jeremiah Fowler, who reported a publicly accessible, non-password-protected database to vpnMentor.
The database, containing nearly 8 million records and totaling 1.1 terabytes, was linked to Logezy, a UK-based software company specializing in employee data management and payroll services. The exposed files included personal and employment-related documents such as work authorizations, national insurance numbers, timesheets, electronic signatures, and high-resolution images of identification documents. Many records were connected to healthcare workers and organizations, including staffing agencies and temporary employment services.
Although the database appeared to belong to Logezy, it remains unclear whether it was directly managed by the company or by a third-party contractor. After Fowler sent a responsible disclosure notice, access to the database was restricted. However, the duration of the exposure and whether any unauthorized access occurred prior to its discovery remains unknown, pending a forensic investigation.
Logezy offers a cloud-based platform and mobile app designed to streamline staff deployment, compliance, and payroll processes. While the company claims to serve various industries, the exposed data primarily involved the healthcare sector.
This incident underscores ongoing concerns about data security within the UK healthcare industry. A recent Digital Health report revealed that 79 percent of UK healthcare providers have experienced at least one data breach since 2021, with unintentional leaks on the rise. The compromised records, rich in personally identifiable information (PII), pose significant risks if accessed by cybercriminals. While there is no evidence of misuse, the incident highlights the urgent need for robust data protection measures, especially in sectors handling highly sensitive information.
Experts warn of multiple cyber risks tied to the exposed data. Identity theft is a major concern, as criminals could exploit personal information to open financial accounts or commit fraud. A 2023 FICO report found that 1.9 million UK consumers had their identities stolen for such purposes.
Credential theft is another pressing issue. With access to work documents and signatures, attackers could potentially breach internal healthcare systems. Some records reportedly included information on supervisors and administrators, raising fears that higher-level staff could be targeted.
The threat of social engineering is also pronounced. Cybercriminals often use personal information to craft convincing phishing attacks. Reports indicate that social engineering attacks in the healthcare sector surged by 279 percent in 2023.
Additionally, ransomware attacks pose a severe threat. With healthcare organizations relying heavily on digital systems, losing access to critical data could directly endanger patient care. Though Logezy is not a healthcare provider, its role in processing data for many such organizations increases the overall risk.
Finally, personal data from the leak could be traded on the dark web, with stolen IDs fetching thousands of pounds. Experts recommend that affected individuals monitor their financial accounts and that software providers adopt stricter data segmentation practices to prevent cross-client data breaches in the future.
InfotechLead.com News Desk
