Data Breach Report: RigUp Exposes More Than 70,000 Private Files

Led by Noam Rotem and Ran Locar, vpnMentor’s research team recently discovered a breached database belonging to American software company RigUp, containing more than 70,000 private files belonging to its US energy sector clients.

RigUp, founded in 2014, is a labor marketplace and services provider built for the US energy sector, with clients across the country. According to the report, since 2014, RigUp has grown to provide additional services covering many aspects of energy company operations and is now considered the largest online marketplace and labor provider in the US energy sector, and in 2019 secured $300 million of investment, based on a $1.9 billion valuation.

The breached database contained more than 70,000 private files belonging to companies and individuals using RigUp’s platform, note the researchers. Had it been discovered by malicious hackers, or leaked to the general public, warn the researchers, the impact on RigUp, its clients, and 1,000s of energy workers across the USA could have been devastating.

The exposed database was an Amazon Web Services (AWS) S3 bucket, labeled “ru”, says the report, and many of the files contained within included RigUp’s name. Based on this, the vpnMentor team was quickly able to confirm the company as the database’s owner.

The vpnMentor team commends RigUp for responding positively to their disclosure, "especially at a time when it must be experiencing considerable disruption, due to the coronavirus pandemic," write the researchers. The company took full responsibility for the leak and guaranteed a root cause analysis would be conducted.

Example of Entries in the Database

According to the researchers, the exposed S3 bucket was a live database, with more than 76,000 files exposed, amounting to more than 100GB of data, dating from July 2018 to March 2020.

It appears the database was a ‘file dump’ used by RigUp to store various kinds of files belonging to its clients, contractors, job seekers, and candidates for employment. The human resources files being leaked included:

Employee and candidate resumes
Personal photos, including some private family photos
Paperwork and IDs related to insurance policies and plans
Professional IDs
Profile photos, including US military personnel
Scans of professional certificates in different fields

These files contained considerable Personally Identifiable Information (PII) data for the people affected, including:

Full contact details: names, address, phone numbers, home addresses
Social Security information
Dates of birth
Insurance policy and tax numbers
Personal photos
Further information relating to education, professional experience, personal lives

For the more information and the full report, visit vpnMentor.com

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.

Data Breach Report: RigUp Exposes More Than 70,000 Private Files

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Data Breach Report: RigUp Exposes More Than 70,000 Private Files

Share This Story

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.