A Wisconsin mattress company, Verlo Mattress, leaked the records of 387,000 customers in an online database, a security researcher has found.

Jeremiah Fowler, cybersecurity researcher and tech analyst at SecurityDiscovery.com, said he discovered the online database called “Customers”. Upon further investigation, Fowler found that every file contained references to Verlo Mattress Factory and “appeared to be customer data,” and there were indications that this could be a franchise or a single store location in Greenfield, Wisconsin that is owned by FWR of Wisconsin LLC, he says. 

In the SecurityDiscovery.com blog, Fowler says:

  • This was an Elastic database set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
  • 387,604 records with names, phone numbers, emails, home address, billing address.
  • Login credentials with hashed passwords for internal users.
  • IP addresses, Ports, Pathways and storage info that cyber criminals could exploit to access deeper in to the network.

"It is unclear how long the data was exposed or who else may have gained access to it before I responsibly disclosed my discovery to the Verlo Mattress Company. It is also unclear if the affected customers or the authorities were notified. Section 134.98 of the Wisconsin Statutes requires businesses to notify individuals if an unauthorized person has acquired their personal information," says Fowler in the blog.