Cybersecurity researcher Jeremiah Fowler discovered and reported to WebsitePlanet a non-password protected database that contained a large number of PDF documents.

The PDF documents that were made public included invoices from both individuals and businesses who used an app to pay for products and services. The invoices contained names, email addresses and physical addresses, phone numbers, and more. In addition, the documents also included notes about what the payment was for, the total amount, due date, and some even contained tax information such as a tax id number.

Upon further research, it was identified that the database belonged to NorthOne Bank, a financial technology company that is used by over 320,000 American businesses (based on information on their website). It is worth noting that NorthOne is not a full service bank. Banking services to NorthOne Bank are provided by The Bancorp Bank, which is also a member of the Federal Deposit Insurance Corporation (FDIC), a government agency that provides deposit insurance to financial institutions. NorthOne Bank has offices in New York, USA and Toronto, Canada and its services are available throughout North America.

I immediately sent a responsible disclosure notification to NorthOne Bank of the discovery of the possible security concern. Subsequently, I was informed by the bank that they had “investigated and had resolved the issue and that there were no outstanding open issues”. I first reported the finding on January 19th, 2023 and the database remained unsecured until January 31st, 2023, after sending several followup messages, restricting the access to the database and thus to the .PDF documents. It is unclear how long these records were exposed or who else may have had access to the database, if anyone did. We imply no claims or accusations about Northone Bank’s security practices. Details provided here are based on the response I received from the bank and our intention is solely to promote better security measures and responsible handling of potential vulnerabilities. It should also be noted that Bancorp Bank is not at fault or responsible for this breach.

The database allowed anyone with an internet connection and the database’s URL to see or download the .PDF documents. There were basic security controls preventing a full indexing of all documents. I estimated that there were over a million files in the database that were marked as “production”. In a random sampling of 1,000 invoices, I observed invoice amounts ranging from as low as $60 to over $10,000 for various services. These included home repairs, pet services, food and beverage, and even medical care.
How the invoices appeared in the exposed database:

Exposed tax information can be a significant risk
Business identity theft can potentially pose serious threats to any business, with small businesses being particularly vulnerable due to fewer resources to detect and respond to security incidents, and a smaller customer base, which could make it easier for criminals to impersonate them. Criminals could use a business name or Employer Identification Number (EIN) to file fraudulent federal tax returns and claim refunds from the Internal Revenue Service (IRS). Another significant risk would be criminals using the business name and EIN to apply for credit accounts or apply for loans, leaving the business accountable for repaying and settling the debts. Detecting business identity theft early may still lead to a substantial burden on the victim, as they must demonstrate they did not authorize the fraudulent accounts.

Invoices are a goldmine for criminals
The potential risk of this exposure would be criminals knowing the financial transaction history and personal details of both parties involved. The exposed invoices would provide a criminal with sensitive insider information that would be known only to the seller or service provider and customer. This could enable scammers to establish a position of trust, contacting the customer to claim an outstanding payment is owed or requesting an alternative they need another payment method such as a credit or debit card, or bank account information. The criminal could reference the real invoice number and transaction details, making it difficult for the victim to doubt the scammer’s legitimacy as a representative of the company or service provider.

According to the Verizon Business 2020 Data Breach Investigations Report, nearly 90% of all data breach-related crimes were financially motivated or aimed at financial gain. Cybercrimes, such as ransomware, phishing or data theft, can be highly profitable, and criminals are rarely caught, leaving their victims on the hook for unauthorized purchases or facing damage to their consumer credit scores. Cybercrimes can come in many different forms, but the most common tactics include extorting money from victims directly, employing social engineering to obtain payment and personal data, or selling the data acquired.
NorthOne’s app is available on iOS, Android and desktop platforms. The banking app is designed to work with all payment processing systems, including point-of-sale (POS) terminals, eCommerce tools, and payment services. Some of NorthOne’s integration options include Airbnb, Cash App, Lyft, PayPal, Quickbooks, Shopify, Square, Stripe, Uber, Venmo, Wave, among others.

In a separate matter unrelated to the discussed data exposure, NorthOne has raised significant capital of $90.3M USD in funding over 5 rounds. NorthOne’s network of investors includes a former NFL football star, venture capital, and the investment arm of health insurance giant Kaiser Permanente that usually invests in healthcare companies. Other notable investors include; Battery Ventures, Don Griffith, Drew Brees, Ferst Capital Partners, FinTLV, Kaiser Permanente, Next Play Capital, Operator Stack, Redpoint Ventures, Ruby Ventures, Tencent and Tom Williams. Please note that this information is provided for context and is not intended to imply any connection between NorthOne’s investors and the potential data exposure situation mentioned earlier.

We are not implying any wrongdoing by NorthOne or that any customers or users of the service were at risk. Our primary objective is to promote better security practices and raise awareness of potential risks. We only highlight the discovery of the exposed documents and provide a summary of the real world risks of the publically accessible invoice documents. The extent to which users have been notified to be vigilant for any irregularities or unauthorized attempts or payment requests remains uncertain.