Cybersecurity researcher Jeremiah Fowler uncovered a non-password-protected database that contained over 2.3 million documents belonging to Kids Empire, an US operator of recreational centers.
The publicly exposed database contained 2,363,222 documents in.PDF and.PNG formats with a total size of 92.3 GB. These included reservations, injury waivers, and receipts with partial credit card numbers and transaction details.
The database remained publicly accessible for at least three weeks before it was finally restricted. It is unclear how long the data was exposed or if anyone else may have had access to the non-password-protected database, as only an internal forensic audit could identify this information.
Jeremiah Fowler
The data exposure poses potential privacy risks to customers by revealing personally identifiable information (PII) such as names, physical and email addresses, phone numbers, and details about the reservations. The mandatory waivers included the child’s name as well as the parent’s personal information and signature.
Kids Empire has not yet issued an official statement regarding the breach.
