US Marketing Firm Exposes Sensitive Data of American Clients and Prospects

SafetyDetectives Cybersecurity Team
SafetyDetectives Cybersecurity Team SafetyDetectives Cybersecurity Team
Updated on: March 20, 2024
SafetyDetectives Cybersecurity Team SafetyDetectives Cybersecurity Team
Updated on: March 20, 2024 SafetyDetectives Cybersecurity Team

Intro

The SafetyDetectives cybersecurity team identified a considerable data exposure at the American firm Powersports Marketing.

Powersports Marketing™ specializes in direct marketing solutions for automotive dealerships throughout the United States.

The company misconfigured one of its Microsoft Azure Blob Storage servers, exposing highly sensitive and personal data for an estimated 150,000 Americans in addition to thousands of American businesses.

Who is Powersports Marketing?

Powersports Marketing™ (otherwise known as PSM Marketing) is a private American firm based in Peachtree City, Georgia, USA. Launched by professional coaching provider Dealership University™ in 2004, the company provides marketing solutions to automotive dealerships located throughout the United States.

The company operates its business from several different URLs, including powersportsmarketing.com, psmmarketing.com, and polarisofbr.com. PSM also hosts other websites, such as powersportsdealerlocator.com and many others.

Powersports Marketing specializes in multi-channel direct campaigns and its services include website creation, marketing automation software, and advertising copy across a range of mediums—from personalized website banners to postcards and flyers.

Powersports Marketing has a small team of up to 50 employees and turns over an estimated $5 million in annual revenue (as per zoominfo.com). The firm deals with prominent car and motorbike dealerships such as BMW, Honda, Harley Davidson, Nissan, Dodge, KIA, and many more.

We know the server belongs to Powersports Marketing due to branded headers included in documents.

Who is Powersports Marketing?

PSM Marketing is identified as the server owner.

What was Exposed?

Powersports Marketing left its Azure Blob Storage server accessible, without proper authentication in place. As such, Powersports Marketing exposed around 400,000 files containing PIIs totaling over 50 GB of data. This data belongs to Powersports Marketing’s clients and their customers.

Three separate file types were identified on PSM’s open blob storage: Customer import lists, client invoices, and credit card details.

Customer Import Lists

Customer import lists exposed the data of Americans — people who are customers of PSM’s clients. Customer import lists featured prominently on the server and there were hundreds of thousands of individual records on these files.

Customer import lists exposed a range of PII:

  • Full names, i.e. first names and surnames
  • Physical addresses, including State, City, Zip Code
  • Email addresses
  • Phone numbers

PSM clients appear to have imported their customers’ data to create these lists and subsequently sent this information to Powersports Marketing. Customer lists may allow PSM to perform its services. You can see evidence of customer import lists below.

What was Exposed?

Customer import lists feature on the server

Client Invoices

Around 5000 files of client invoices (or “estimates”) featured on the open blob storage. PSM sent these invoices to clients and stored copies of each document on its server. As such, invoices expose the PII of PSM’s clients — businesses that have purchased marketing services and products from Powersports Marketing.

The client PII on these files included:

  • Cost breakdowns.
  • Date of estimates (the date upon which each cost breakdown was calculated).
  • Client company details, such as company names and addresses.

Client invoices also exposed the first name of the sales rep overseeing each transaction — information that affects PSM staff.

You can see evidence of a client invoice in the following screenshot.

What was Exposed?

A list of charges on a client invoice

Credit Card Details

Credit card details were exposed on the open server too. An estimate of the volume of CC details is unavailable due to the server’s disorganization, though there are likely no more than a handful of these files.

Credit card details exposed an array of client PII:

  • Cardholder names
  • Credit card numbers
  • Card expiry dates
  • CVV numbers
  • Cardholder addresses
  • Signatures

You can see evidence of files containing credit card details below. The SafetyDetectives team has redacted these documents for security purposes — the original files were completely visible.

What was Exposed?

Some documents exposed credit card details

Based on the prevalence of customer import lists, an estimated 150,000 Americans are affected by this data exposure, along with thousands of American businesses.

You can see a full breakdown of this data exposure in the table below.

Number of files exposed 400,000
Number of affected users ~150,000
Size of breach An estimated 50-100GB
Server location USA
Company location Peachtree City, GA, USA

We discovered Powersports Marketing’s open Blob storage on October 4th, 2021. We have reached out to numerous PSM email addresses on several different occasions since we discovered the open server. Unfortunately, we did not receive a reply from the company.

We also reached out to the US CERT, however, we did not receive a reply from this organization either.

As a last resort, we called the phone numbers that are shown on Powersports Marketing’s website. A representative answered our call but, after a few seconds of conversation, they hung up.

All involved parties could face various impacts because of this data breach.

Data Breach Impact

We cannot and do not know whether malicious actors have accessed the content of Powersports Marketing’s misconfigured Azure Blob Storage server.

However, American citizens, PSM clients, and Powersports Marketing could still encounter cyber threats if any hacker or cyber-criminal has read or downloaded the blob storage’s exposed files. Powersports Marketing could also be subject to additional legal sanctions and damages.

Impact on Clients

The clients who were exposed in customer import lists may suffer from phishing attacks, fraud, scams, theft, and burglary.

Firstly, exposed contact details would allow criminals to contact clients through their chosen medium. Cybercriminals could pose as an employee of an exposed company, referring to the victim’s name or address to build trust.

Once the victim believes the communications are legitimate, bad actors could launch phishing attacks, scams, or fraud. In a phishing attack, the cybercriminal may attempt to convince the victim to reveal additional PII or to click a malicious link. Malicious links may contain malware that can allow cybercriminals to execute additional crimes and fraudulent activities.

Criminals could also launch popular scams, such as invoice scams, to fraudulently convince victims to send them money.

The presence of addresses means Americans could also be targeted with theft and burglary at their residences by criminals who acquired the exposed content of the blob storage.

Impact on PSM Clients

A large portion of businesses could be confronted with credit card fraud and corporate espionage.

Credit card details were available in full to anyone who accessed the open blob storage, in addition to signatures and addresses. This information could be used to make fraudulent purchases or to obtain unauthorized funds from the victim’s account.

Businesses have lost huge customer lists as well. Rival businesses may acquire this information and contact each exposed business’s customers with deals and offers on motor vehicles. Rival businesses could steal trade away from exposed clients if customers are persuaded to purchase from alternative retailers. This could also affect Powersports Marketing, with rival marketing firms attempting to steal the company’s clients.

Impact on Powersports Marketing

Powersports Marketing could experience legal sanctions and forms of corporate espionage as a result of its data breach.

The company may have mishandled the personal information of Americans. The Federal Trade Commission (FTC) protects the data of Americans and, should the FTC deem Powersports Marketing responsible, could impose sanctions and punishments on PSM.

According to Section 5 of the FTC Act, the maximum fine for exposing the data of Americans is $100 million. In serious cases, guilty individuals can be placed under arrest.

Meanwhile, malicious actors could contact PSM employees—using client details, cost breakdowns, and staff names to build trust. A rival business could contact PSM in this manner to coerce sensitive company information from PSM employees.

Preventing Data Exposure

How can we protect our data and limit our risk of being exposed in a data leak? What can we do to identify and nullify the threat of cybercrime?

Here are some tips to help you avoid cybercriminal activity:

  • Don’t provide your personal information to individuals or companies whom you don’t know and trust.
  • Only visit websites with secure domains and SSL certificates (URLs that feature a “HTTPS” and/or a closed lock symbol).
  • Be extra cautious when entities ask for highly confidential information, such as your social security number, government ID number, or personal preferences.
  • Use a mixture of letters, capitals, numbers, and symbols to create secure passwords for your accounts. Update your passwords regularly.
  • Never click links in emails, direct messages, SMS messages, or anywhere else on the internet unless you are certain the source is legitimate.
  • Edit your privacy settings on social media so that only friends and trusted users can see your content and personal information.
  • Don’t display personal information or perform certain tasks when connected to public WiFi (i.e. don’t type out your credit card details to buy goods on public WiFi).
  • Use online resources to learn about cybercrime, data protection, and avoiding phishing and malware attacks.

About us

SafetyDetectives.com is the world’s largest antivirus review website.

The SafetyDetectives research lab is a pro bono service that aims to help the online community defend itself against cyber threats while educating organizations on how to protect their users’ data. The overarching purpose of our web mapping project is to help make the internet a safer place for all users.

Our previous reports have brought multiple high-profile vulnerabilities and data leaks to light, including 2.6 million users exposed by an American social analytics platform IGBlade, as well as a breach at a Brazilian Marketplace Integrator platform Hariexpress.com.br that leaked more than 610 GB of data.

For a full review of SafetyDetectives cybersecurity reporting over the past 3 years, follow SafetyDetectives Cybersecurity Team.

About the Author
SafetyDetectives Cybersecurity Team
SafetyDetectives Cybersecurity Team
SafetyDetectives Cybersecurity Team
Updated on: March 20, 2024

About the Author

The SafetyDetectives research lab is a pro bono service that aims to help the online community defend itself against cyber threats while educating organizations on how to protect their users’ data. The overarching purpose of our web mapping project is to help make the internet a safer place for all users