Recently I discovered PDF documents that were made public included invoices from both individuals and businesses who used an app to pay for products and services. The invoices contained names, email addresses and physical addresses, phone numbers, and more. In addition, the documents also included notes about what the payment was for, the total amount, due date, and some even contained tax information such as a tax id number. Upon further research, it was identified that the database belonged to NorthOne Bank, a financial technology company that is used by over 320,000 American businesses (based on information on their website).
I immediately sent a responsible disclosure notification to NorthOne Bank of the discovery of the possible security concern. Subsequently, I was informed by the bank that they had “investigated and had resolved the issue and that there were no outstanding open issues”. I first reported the finding on January 19th, 2023 and the database remained unsecured until January 31st, 2023, after sending several followup messages, restricting the access to the database and thus to the .PDF documents. It is unclear how long these records were exposed or who else may have had access to the database, if anyone did.
We imply no claims or accusations about Northone Bank’s security practices. The details provided in my full report are based on the response I received from the bank and our intention is solely to promote better security measures and responsible handling of potential vulnerabilities. It should also be noted that Bancorp Bank is not at fault or responsible for this breach. The database allowed anyone with an internet connection and the database’s URL to see or download the .PDF invoice documents. In a random sampling of 1,000 invoices, I observed invoice amounts ranging from as low as $60 to over $10,000 for various services. These included home repairs, pet services, food and beverage, and even medical care.
Northone replied that the data exposure contained no product, technology or corporate connection between their Invoice Maker and NorthOne. It was a free app that was made available in the app store for interested users.