A database was found to be without password protection or encryption, exposing approximately 180,000 records (178,519 files) containing PII and payment data. This database was discovered by Jeremiah Fowler, a Cybersecurity Researcher and was initially reported to Website Planet. 

In an examination of the exposed files, Fowler identified invoices that contained personally identifiable information (PII). Sensitive data in these invoices included, but was not limited to: 

• Names
• Physical addresses
• Phone numbers
• Tax ID numbers

These invoices belonged to employees, customers, service providers and partners globally. Other sensitive documents exposed were airline tickets, ride share receipts, and health insurance payments, medical payments and more. These documents appear to belong to Invoicely by Stack Holdings GmbH, a SaaS portfolio organization based in Vienna. 

Though it is unknown if any malicious actor accessed this data, in the hypothetical event that one had done so, this information could be leveraged to conduct invoice fraud, financial fraud, or identity theft. Furthermore, the PII could be used to create targeted social engineering schemes.