ERP Software Provider Exposes Over 750 Million Records

Mexico-based enterprise resource planning (ERP) technology provider ClickBalance exposed 769 million records in a 395GB database, cybersecurity researcher Jeremiah Fowler has discovered.

The exposed database, which contained secrets and personally identifiable information including API keys, secret keys, bank account numbers, tax identification numbers, and email addresses on July 18, 2024.

ClickBalance, as per the company’s site, offers cloud-based software that helps with administration automation, accounting, inventory, payroll, and more. The company has not confirmed the breach but locked the database down after being contacted by Website Planet.

“Upon discovery of the database, I immediately sent a responsible disclosure notice, and public access was restricted within hours,” Fowler wrote. “It is not known how long the database was exposed or if anyone else gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.”

Fowler said he did not receive a response from ClickBalance after notifying the company about the breach.

Unprotected databases, despite their disruptive potential, continue to be a common cause of data leaks. Large companies and government organizations are consistently found to have left databases online without proper safeguards.

In January 2024, for example, a database holding information on 223 million Brazilian citizens was found unprotected by researchers at CyberNews, an IT news publication.

But the ClickBalance database is unique in that it contained not only customer data but also financial records, Fowler noted.

“Any technology company that manages a wide range of data of internal and external stakeholders including multiple customers, employees, and end users may face considerable data protection challenges,” he wrote. “This is due to the large amount of information that they need to store for each customer — and they usually have a high number of customers.”

The data in the ClickBalance database could be used for a range of malicious activities, including identity theft.

The ClickBalance data breach is just the latest in a series of leaks discovered in the past year. In June, the data of an estimated 2.3 billion people was found in a 1.2TB unsecured database.

Many of the affected people in the ClickBalance breach are not in the US, so they’re not protected by the recently enacted Health Data Use and Privacy Act, which gives US residents the ability to sue companies that expose their health data.

But that doesn’t mean that no one will face consequences.