.jpg?w=696&resize=696,0&ssl=1 "Rockerbox data breach")
Cybersecurity researcher Jeremiah Fowler has discovered a significant data exposure affecting a Texas-based tax credit consulting firm, which has revealed the sensitive personal information of nearly 250,000 individuals.
The unprotected database, containing 245,949 records totaling 286.9 GB of data, was left accessible to anyone with an internet connection and basic web browsing capabilities.
Scope of the Exposure
The exposed database contained a comprehensive array of sensitive documents and personal information.
Among the accessible files were full names, physical addresses, email addresses, dates of birth, and Social Security numbers stored in plain text format.
The breach also included scanned copies of driver’s licenses, identification cards, Social Security cards, and military discharge forms, commonly referred to as DD214 certificates, issued by the U.S. Department of Defense.
Particularly concerning were the work opportunity tax credit documents, which detailed the employment histories and salary information of affected individuals.
The database also contained determination letters showing acceptance or denial of tax credit eligibility, creating a complete profile of individuals’ financial and employment status.
The technical infrastructure of the exposed system revealed significant security gaps. The database lacked basic password protection and encryption, fundamental security measures for handling sensitive personal information.
While some files were password-protected PDFs, many contained identifying information within their file names and URLs, including business names, individual names, and numeric codes that could potentially serve as passwords.
Company Response and Industry Impact
The exposed records reportedly belonged to Rockerbox, a Dallas-based tax credit consulting company specializing in employer-focused tax incentives, including the Work Opportunity Tax Credit (WOTC), Employee Retention Tax Credit (ERTC), and Research and Development (R&D) credits.
The company serves a diverse range of industries, including healthcare, hospitality, manufacturing, and trucking, across the United States.
Following Fowler’s responsible disclosure notice, the database was restricted from public access within several days.
However, the company did not respond to the disclosure notification, and it remains unclear whether the database was managed directly by Rockerbox or through a third-party contractor.
The duration of the exposure and potential unauthorized access by malicious actors cannot be determined without internal forensic analysis.
Security Implications and Recommendations
The breach highlights critical vulnerabilities in cloud storage configurations and access control implementations.
Inconsistent security measures across different files within the same system create significant compliance and auditing challenges for organizations handling sensitive data.
Fowler emphasized that the combination of exposed personal information poses substantial risks of identity theft.
According to Experian’s 2024 report, the Federal Trade Commission recorded over 1.1 million identity theft claims, with fraud cases resulting in losses exceeding $12.7 billion.
Security experts recommend implementing comprehensive encryption for files containing personal information, regular security audits, and zero-trust access policies.
Organizations should also avoid embedding identifying information in file names or paths, as these can be exposed through browser histories, logs, and analytics tools, potentially compromising data security even when files are technically protected.
.jpg?resize=1600,900&ssl=1&description=Rockerbox data breach - Cybersecurity researcher Jeremiah Fowler has discovered a significant data exposure affecting a Texas-based tax){kind=link}