Nearly 250,000 records leaked in major tax consultancy breach - here's what we know

It was discovered by Jeremiah Fowler, a cybersecurity researcher and analyst known for hunting for unencrypted and non-password-protected databases, and in a new vpnMentor report, Fowler said he found an archive with a total size of 286.9 GB, containing 245,949 records.

“In a limited sampling of the exposed documents, I saw files that detailed PII such as names, physical addresses, email addresses, DOB, and SSN in plain text,” Fowler explained. “There were also driver’s licenses, identification cards, SSN cards, work opportunity tax credit documents that included employment and salary information, and determination letters with acceptance or denials of eligibility.”

Rockerbox leaks

Furthermore, he observed DD214 forms - Certificates of Release or Discharge from Active Duty, issued by the US Department of Defense to veterans and similar military personnel. There were also password-protected PDF files labeled as “forms”, with file names containing PII such as employer names, and applicant first and last names.

Fowler attributed the database to a Texas-based company called Rockerbox, a tax credit consulting organization helping businesses increase their cash flow by identifying and managing employer-focused tax incentives through programs like the Work Opportunity Tax Credit (WOTC), Employee Retention Tax Credit (ERTC), R&D credits, and Empowerment Zone credits.

After reaching out to Rockerbox, the company closed down the archive in a matter of days, but allegedly never replied back to the researcher.

Therefore, we don’t know if the company manages this database, or if that work was handled by a third party - or if any threat actors obtained it in the past, but at press time, there was no evidence about in-the-wild abuse.

You might also like

• More than 3 million records, 12TB of data exposed in major app builder breach
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers