Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained nearly 8 million records belonging to a UK-based software company that facilitates employee data management, compliance, timesheets, and payroll.

The publicly exposed database was not password-protected or encrypted. It contained 7,975,438 files with a total size of 1.1 TB. The records included images and .PDF files containing work authorization documents, national insurance numbers, certificates, electronic signatures, timesheets, user images, and government-issued identification documents. The database also contained 656 directory entries indicating different companies, most of which were healthcare providers, recruiting agencies, or temporary employment services.

The name of the database and its internal files indicated they belonged to Logezy — an employee management and tracking software company based in the UK. I immediately sent a responsible disclosure notice to Logezy, and shortly after the database was restricted from public access and no longer accessible. Although the records belonged to Logezy, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before I discovered it or if anyone else may have gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity.

According to their website, the Logezy Staff Management Software is a cloud-based solution designed for organizations managing both permanent and temporary staff. The software provides features aimed to streamline the deployment of workers, payments, and billing or invoicing with minimal or no paperwork. The platform also claims to simplify employee data management, compliance checks, timesheets, and payroll using a digital system. The Logezy mobile app is available on both the Android Play Store and the Apple App Store. Although they claim to serve businesses across various industries, it should be noted that, in a limited sample, all of the records I saw pertained to the healthcare sector and healthcare workers.




There are numerous potential risks with any data exposure connected to the healthcare industry. According to a report in Digital Health, an estimated 79% of healthcare providers in the UK have experienced at least one data breach since 2021, with a 22% year-over-year increase in reported breaches by healthcare IT professionals. Additionally, the report stated there was a 14% rise in unintentional data leaks caused by employees.

It is no secret that healthcare data is a valuable commodity to cyber criminals, but so is the PII of those who work in the healthcare industry. The exposed records — including authorization documents, national insurance numbers, certificates, and identification documents — contain a wealth of information that could be exploited or potentially used for a variety of malicious purposes. I am not saying that these individuals are or were at risk of these types of potential threats, I am only highlighting real-world scenarios to raise awareness and for educational purposes.

Potential risks may include:

  • Identity Theft: Personal data that is publicly exposed in the form of identification documents, national insurance numbers, or employment data can pose serious potential risks. Criminals could attempt to assume the identity of healthcare workers knowing they have stable employment and possibly good credit, making them a high value target. This can potentially lead to financial fraud, with criminals opening accounts or taking out loans in the victim’s name. A 2023 FICO report revealed that approximately 1.9 million consumers in the UK (4.3%) reported having their identity stolen and used to open financial accounts without their consent.
  • Credential Theft: The exposure of work credentials, electronic signatures, and certification data could potentially lead to unauthorized access to internal healthcare systems. Although most of the individuals I saw were frontline workers, some documents included the names of supervisors or administrators. Targeting healthcare personnel further up the chain of command could increase the hypothetical risks of criminals attempting to steal sensitive patient data or access other sensitive internal resources.
  • Social Engineering Attacks: There is no definitive answer to how big of a role the human factor plays in cyber attacks, but it is estimated that social engineering accounts for approximately 70%-90% of all cyberattacks. Cybercriminals often use personal information gathered from healthcare workers to carry out social engineering attacks, where they manipulate staff or other individuals in the organization to provide access to systems or data. For example, by knowing an employee’s position, work location, or colleagues, attackers can craft convincing phishing messages. In 2023 it was reported that social engineering attacks in the healthcare industry increased by 279% from the previous year.
  • Ransomware Attacks: Any exposed or misconfigured cloud storage database has a range of potential risks, but none as destructive to business operations as ransomware. Cybercriminals can lock systems, encrypt, or even delete files and demand a payment (usually in crypto) in exchange for unlocking or recovering data. Many healthcare organizations rely on their digital systems to provide necessary medical care — having no access to those records gives rise to serious potential risks that may endanger patients’ lives. Although Logezy is not a healthcare provider, it appears that they provide data and services for a considerable number of healthcare organizations and process large amounts of personal data, including payment and tracking of workers of healthcare organizations, which cybercriminals could potentially exploit for this purpose. According to the Office of the Director of National Intelligence in the US, attacks against the healthcare sector were up 128% in 2023 compared to the previous year.
  • Threats to PII and Personal Data: Identity information can be sold on the black market or the dark web, where it could be potentially used for various types of fraud or criminal activities. Cybercriminals could potentially use the exposed healthcare worker data to create fake IDs or to engage in illegal activities using the identity of individuals affected by the data exposure. Numerous reports estimate that an individual’s personal information is estimated to be worth between £800 and £1,000 on the dark web, while forged identification documents (using real documents as a template) may be priced for as much as £4,500.
If you believe your personal information may have been exposed, I recommend you monitor your accounts and credit reports to identify any suspicious activity or unauthorized attempts to use your information.

Staff management software is extremely valuable for organizations to streamline their processes and document management. However, when the developers of content management services collect and store the data of multiple organizations or businesses in one centralized location, it can increase the potential risks of cross-client data leaks. I recommend developers and services that collect data from multiple businesses to segment these records in separate cloud storage environments to enhance security, prevent unauthorized access, and minimize the impact of potential data breaches. By isolating each business’s data through logical or physical separation software, providers can avoid putting all of their eggs in one basket.

In this case, the companies were in separate non-password-protected folders, but all documents inside the folders were publicly accessible. As a best practice, I would recommend using different databases with separate access controls. Having structured segmentation and encrypting those records is a good first step to ensure the data is protected, as security threats can be managed inside of isolated environments.

I imply no wrongdoing by Logezy, or its employees, agents, contractors, affiliates, and/or related entities. I do not claim that any internal, customer, or user data was ever at imminent risk. The hypothetical data-risk scenarios I have presented in this report are strictly and exclusively for educational purposes and do not reflect, suggest, or imply any actual compromise of data integrity. It should not be construed as a reflection of or commentary on any organization’s specific practices, systems, or security measures.

As an ethical security researcher, I do not download the data I discover. I only take a limited number of screenshots as necessary and solely for verification purposes. I do not conduct any activities beyond identifying the security vulnerability and notifying the relevant parties. I disclaim any and all liability for any and all actions that may be taken as a result of this disclosure. I publish my findings to raise awareness of issues of data security and privacy. My aim is to encourage organizations to proactively safeguard sensitive information against unauthorized access.