Over 2300000 records of Family Entertainment Business Were Exposed in Data breach

p
vpnMentor was established in 2014 to review VPN services and cover privacyrelated stories Today our team of hundreds of cybersecurity researchers writers and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC which also owns the following products ExpressVPN CyberGhost and Private Internet Access which may be ranked and reviewed on this website The reviews published on vpnMentor are believed to be accurate as of the date of each article and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer taking into account the technical capabilities and qualities of the product together with its commercial value for users The rankings and reviews we publish may also take into consideration the common ownership mentioned above and affiliate commissions we earn for purchases through links on our website We do not review all VPN providers and information is believed to be accurate as of the date of each article ppCybersecurity Researcher Jeremiah Fowler discovered and reported to vpnMentor about a nonpassword protected database that contained over 23 million documents belonging to Kids Empire an US operator of recreational centersppThe publicly exposed database contained 2363222 documents inPDF andPNG formats with a total size of 923 GB These included reservations injury waivers and receipts with partial credit card numbers and transaction details Additionally there were digital gift cards with no expiration date source images for websites and templates I immediately sent a responsible disclosure notice to Kids Empire The database remained publicly accessible for at least three weeks before it was finally restricted It is unclear how long the data was exposed or if anyone else may have had access to the nonpasswordprotected database as only an internal forensic audit could identify this information Once the database was secured Kids Empire representatives thanked me by email for my notification and indicated future steps they will take for data protectionppAccording to the PitchBook profile Kids Empire is an operator of recreational centers intended to provide indoor fun facilities for kids The companys centers offer parks that are temperaturecontrolled safe and clean where the small kids can enjoy a variety of games or delight themselves on the dance floor enabling caregivers to keep an eye on the children while they enjoy their leisure timeppThe data exposure poses potential privacy risks to customers by revealing personally identifiable information PII such as names physical and email addresses phone numbers and details about the reservations The mandatory waivers included the childs name as well as the parents personal information and signature Kids Empire has 68 locations across 18 states including Arizona California Colorado Florida Georgia Iowa Illinois Indiana Kansas Michigan Minnesota Missouri Nevada New Jersey Pennsylvania Texas Utah and VirginiappThe potential risks of exposing customer information can have a wide range of implications Cyber criminals increasingly use sophisticated methods of social engineering to obtain additional personal credit card or banking information According to the FBI 98 of all cyber crimes start with social engineering One hypothetical example would be a criminal calling a customer and using internal information to pose as a Kids Empire employee They could say something like I see you recently were at X location and we want to offer you a refund of XXX to your card ending in 1234 can you please provide me with the rest of the number and the CVV security number on the back of the card I am not saying that any Kids Empire customers are inherently at risk of this type of fraudulent activity I am only providing a real world example for educational purposes I recommend that anyone who receives suspicious communications asking for payment information always confirm that it is a legitimate request The first step to do so is verifying that the person you are speaking with is who they say they are by using only official channels such as company email addresses or phone numbersppIn any data breach the most significant potential risk is identity or financial theft Although the records contained only partial credit card numbers type of card and transaction numbers any internal customer information can serve as a puzzle piece to create a full target profile for criminals Another potential risk would be malicious actors trying to exploit exposed information for targeted phishing attacks against customers In this particular case and in any data exposure it is crucial for customers to be familiar with known deceptive tactics used by criminals online and offline This way the probability of falling victim to such methods is lowerppEven though Kids Empire provides an offline service for family entertainment this exposure shows how data is now a prevalent part of nearly all aspects of life In an era where digital threats are constantly evolving I urge companies to take proactive steps such as encrypting internal records regularly updating security protocols and conducting comprehensive risk assessments on the environments where sensitive data is stored I highly recommend that companies that collect and store data have a dedicated communication channel for data and privacy issues that is separate from customer support Offline businesses do not usually train their customer support representatives to handle data security protocols which can lead to delays in addressing potential security incidents and thereby put potentially sensitive customer or business information at further risk During a data breach every second counts Being prepared with a plan in place is a great proactive way to mitigate and minimize the potential damage of the exposureppI imply no wrongdoing by Kids Empire nor am I suggesting that any customers or their data was ever at risk As an ethical security researcher I never download the data I discover and only conduct a limited manual review for verification and notification purposes My investigations are strictly confined to a limited manual review solely undertaken for the purposes of verification and subsequent notification to the relevant parties Any discussion of hypothetical risks is intended purely for educational purposes aiming to foster awareness and promote better security practicespp ppDisclaimer The content and images in this article are the property of vpnMentor We permit our images and content to be shared as long as a credit with a link to the source is provided to vpnMentor as the original author This way we can continue our mission to provide expert content and maintain the integrity of our intellectual propertyppJeremiah an experienced cybersecurity researcher at vpnMentor and cofounder of Security Discovery is renowned for uncovering some of the worlds most significant data breaches Together with the vpnMentor team he has been instrumental in securing the personal data of millions globallyppHis journey in cybersecurity sparked by his interest in a data breach at a former company transformed from a passion into a recognized expertise establishing him as a respected thought leader in the industryppShare it with your friendsp