Cybersecurity researcher Jeremiah Fowler has discovered and reported an "unprotected database" belonging to Smoke Alarm Solutions, Australia’s largest smoke alarm installation and service provider.
In the report for virtual private network firm vpnMentor, Fowler - cybersecurity researcher at vpnMentor and co-founder of Security Discovery - says the database contained over 700k documents with over 100 GB; 355,384 unique documents marked as invoices revealing “customers' PII, documents such as inspections, compliance reports and more putting the customers at risk of many online threats”.
“The exposed database contained 762,856 documents and totaled 107 GB. Upon further research, it was indicated that the data belonged to Smoke Alarm Solutions, an Australian company specializing in the installation and maintenance of smoke detectors,” notes Fowler.
“The publicly exposed files contained customer information, including detailed invoices, records of inspections, estimates, compliance reports, electrical safety inspections, service quotes, and service reports. The publicly accessible documents provided a comprehensive view of the company's transactions and customer interactions.
{loadposition peter}
“The database contained 355,384 documents marked as invoices, dated 2021-2024. This number gives a basic idea or estimate of how many individuals could be potentially affected by the exposure. Additionally, there were 24,632 documents marked as “on site quotes” that contained the names and email addresses of the business, agent, or individual obtaining a quote.
{loadposition peter}
“In a limited sample and manual review of the exposed database, I didn’t see any duplicate documents or information — the documents appeared to be unique,” Fowler says, adding that “I immediately sent a responsible disclosure notice to Smoke Alarm Solutions and the database remained open to public access.
“I received a reply from a technology consultant representing the company that read; “We are aware of this data store. Its state is the unfortunate side effect of some work by a previous system integrator. We are actively migrating to a new customer management platform. We will block all access (or more likely, decommission) this data store as soon as we have migrated the data to our new platform”.
Fowler further reports: “However, the records were still accessible nearly 2 months after my first responsible disclosure notice. I sent numerous followup emails including official support links to information on how to restrict public access to the database and finally the database was secured. It is unclear how long the documents were exposed or who else may have gained access to them. Only an internal forensic audit conducted by Smoke Alarm Solutions could identify this information.
“In Australia, all properties are legally required to have smoke alarms installed on every level of a home. This includes owner-occupied homes, rental properties, relocatable homes, caravans, camper-vans, or any other residential buildings. The market size of the Fire and Security Alarm Installation Services industry in Australia was estimated to be $4.0bn in 2023. Companies like Smoke Alarm Solutions offer subscription services to help private individuals, landlords, and real estate companies stay compliant with the law. A unique dynamic arises anytime customers are using a service or a product that is legally required, as it typically involves a regulated market. As such, it’s important that these companies provide a high-quality service, which includes safeguarding their consumers’ data to the best of their ability.
“According to their LinkedIn page, “Smoke Alarm Solutions is the leading provider of residential smoke alarm compliance and maintenance services to the Australian real estate industry. Australian owned and operated since 2007 with local technicians and electricians located throughout Queensland, Victoria and South Australia”.
To read the full vpnMentor report click here.