Australian Food Service Provider Internal Records and Invoices Exposed in Third-Party Data Breach

04 June 2024

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained 524k documents belonging to Patties Foods Limited, a leading provider of food services throughout Australia. The records included more than 25k invoices. The database also included evidence of ransomware.

This discovery pertained to two separate database exposures that were publicly accessible and non-password protected. The first was an exposed logging server that contained 496,296 records. These logs captured various types of information such as system errors, warnings, indexing operations, search queries, cluster health status, and other diagnostic data. They also exposed internal, customer, and vendor emails. Additionally, I identified a separate cloud storage database inside the logging records that contained 25,800 invoices and distribution records in .pdf and .xls formats. Upon further research, it was identified that the records belonged to Patties Foods Limited PFL. Patties Foods is an Australian food company known for producing a wide range of edible products. Founded in 1966, Patties is one of Australia’s leading manufacturers and suppliers of meat pies, sausage rolls, pastries, desserts, and frozen fruits.

However, documents indicate the IP address was managed by a company called Provenio.ai, a service provider which provides AI-powered productivity for the supply chain back-office to many well-known Australian companies.

I immediately sent a responsible disclosure notice to Provenio. Provenio acted fast and professionally to restrict access as soon as they were notified, and public access to both databases was restricted within hours. The following day I received the following response from a Provenio representative stating: “I can confirm that your message has reached the relevant people, and we are taking this very seriously. Thank you for notifying us and thank you for confirming that you do not download or extract data. We have taken immediate action to rectify the issue as well as investigate how the exposure has happened. However, at this stage it is possible that this may have happened due to human error resulting from a patch update”. It is not known how long both databases were exposed or if anyone else may have gained access to the non-password-protected records. Only an internal forensic audit would allow a database owner to identify any suspicious activity or other additional access.

The exposed records contained a wealth of information that could have significant potential risks in the wrong hands. The documents identified vendors, contacts, emails, and banking information such as account numbers, invoice amount, supplier number, supplier name, invoice number, invoice amount, approval code, employee names, and more. I saw invoices amounting to a significant sum, making this data a valuable potential target for criminals. Internal logging records also contained Jira support tickets that identified issues, problems, and the status of support requests.

In an interview, a representative from Provenio described the services as: Using our domain curated and contextual AI, we create value for the providers and consumers of freight and logistic services, by digitalising and automating the flow of transactional information that sits behind the physical supply chain. By digitalising and extracting more information from supply chain logistics images and documentation, we enable richer insights, for better data-driven decisions and a more optimized supply chain network.

This screenshot shows a ransomware notice indicating that the data has been backed up and that 0.021 BTC must be paid to recover the database. I only saw the note and it is unknown if any data was backed up by cybercriminals, only the owner of the database could know for sure after an internal audit. It is important to note that in the majority of cases such notices are left automatically, and does not always mean that the database was directly accessed.

This screenshot shows bank account numbers, BSB numbers, and other account data exposed in the logs.

This screenshot shows how invoices were uploaded with a timestamp. This could have created a potential risk of criminals editing the invoice before it could be reviewed, hypothetically increasing the chance of invoice fraud.

This screenshot shows an invoice with an amount of nearly $150,000 AUD. The invoice also displayed bank account information, PO number, and other internal reference data.

This screenshot shows an invoice with bank account information. Hypothetically, it could be altered to reflect a different account in an attempt to trick the company into making a payment to an unauthorized individual.

This screenshot shows transportation and distribution log documents with consignment numbers, customer references (retailers and wholesalers not the general public), pickup and delivery locations, and more.

❮❯

What Is Invoice Fraud?

Invoice fraud involves the creation, alteration, or manipulation of invoices with the intent to deceive and defraud businesses. Criminals could potentially exploit invoices exposed in a data breach for financial gain by using non-public internal information such as billing details, payment terms, contact information, and other details to launch various fraudulent schemes. For example, using an exposed invoice as a template, the criminal could hypothetically alter legitimate invoices to redirect payments to accounts owned and operated by the criminals. Using real data from invoices, criminals could also impersonate legitimate vendors and issue false invoices for products or services that were never provided. By exploiting the position of trust a company has with their vendors, criminals could potentially deceive a business into making unwarranted payments.

Using real data that only the company and vendors would know significantly increases the chances of a successful invoice fraud attack, as the targets would have little reason to doubt the legitimacy of the document. This type of fraud can lead to significant financial losses for organizations, regardless of size. In this case, the invoices were uploaded to the database and updated in real-time with a timestamp. Hypothetically, criminals could simply monitor the exposed database for new invoices. Once a new invoice appears, they could download it, modify the payment details to the criminal’s bank account, and then replace the legitimate invoice with the fraudulent version. With a company as large as Patties Foods and so many vendors, it would probably be a time-consuming task to validate or verify the number of monthly invoices being processed. This means a hypothetically higher chance of the fraudulent invoice going unnoticed until after it is paid.

The Australian Cyber Security Centre (ACCC) issued an advisory on April 4th urging citizens to beware of invoice scams where criminals send victims altered payment requests. The advisory also indicates that, in 2023, Australians reported losing $16.2 million to payment redirection scams. Although the advisory was addressed to citizens, the same risks apply to companies, whose losses could be much greater. I am not saying that Patties Foods or any of its vendors are at risk of invoice fraud, I am only providing a real-world scenario to raise awareness of how the exposed documents could be used by criminals.

Additional Potential Risks

In addition to the exposed invoices, the database also contained Jira tickets identifying support requests, technical issues, and communications between Patties Foods and Provenio. These communications identified problems with invoices and solutions, service issues or other information that could potentially be misused for fraud or for malicious actors to exploit identified system vulnerabilities.

Jira is a project management software used by companies to track and manage their activities. It provides teams with tools for task tracking, issue management, collaboration, and workflow automation. It is also a useful tool for service support. In this case, the records were stored and managed by the end user, and the exposure is no fault of the Jira software.

In the database, there were also spreadsheets and invoices containing fleet and transportation information, such as details of the vehicle, pallet numbers, billing and invoice totals. In addition to contact information for food vendors and suppliers, the fleet or delivery service documents could potentially provide criminals with additional inside information that could be exploited for fraudulent activities, such as impersonating an employee.

Any exposure of supplier and vendor invoices in a data breach underscores the critical importance of safeguarding sensitive information required for normal business operations. I recommend that companies take proactive measures to protect themselves from invoice fraud and be vigilant to the common tactics of cyber criminals. Here are a few basic tips that could help prevent invoice fraud:

Implement verification procedures to ensure the authenticity of invoices and the legitimacy of vendors. Adding extra layers of security is time-consuming, but even when companies use automation to save time and resources, it is important to apply human logic to identify suspicious activity. Verify vendor contact information using official communication channels, and cross-reference invoice and payment details with purchase orders and contracts to ensure they have not been altered or changed.
Enforce dual authorization within your accounts payable or finance department to ensure that no single individual has sole control over the entire invoicing and payment process. Requiring two separate individuals to review and sign off on financial transactions can reduce the chances of criminals successfully carrying out a fraudulent scheme. This way, if one account is compromised or a modified invoice goes unnoticed at first, the transaction will hopefully be identified by the second person needed for the approval.
Raise awareness and train employees to recognize common red flags of invoice fraud, such as discrepancies in billing details, unusual payment requests, or changes in vendor contact information. It is also important to provide dedicated communication channels for employees to report suspicious activity or concerns before a suspicious payment is approved.
Regularly review financial records to identify any discrepancies or anomalies that may indicate potential fraud. Although it may be difficult to reverse a fraudulent transaction once it has been identified, it can prevent additional payments from going through. Reviewing vendor accounts and payments regularly decreases the chances of unauthorized transactions or other irregularities taking place.

Companies that provide automated billing and purchase order payment services can also implement several basic measures to safeguard their data against data breaches, cyber attacks, or unauthorized access. I recommend:

Including strong encryption protocols to protect sensitive data that may be used by an application, user dashboard, or storage repository. Encrypting all data ensures that even if records are intercepted or accidentally exposed, those files will be unreadable and virtually worthless to criminals.
Using strong access controls and authentication mechanisms, such as multi-factor authentication. These steps can help prevent unauthorized users from gaining access to critical systems or data.
Running regular security audits and penetration testing can identify vulnerabilities proactively, including open ports, misconfigured firewalls, and publicly exposed cloud storage databases.
Providing cybersecurity training for all employees can help identify potential threats and mitigate human errors — even if security is not in their job titles. Cyber threats change often, so companies need to take basic steps to secure their data and stay a step ahead of criminals who are actively looking to exploit all types of vulnerabilities for financial gain.

I imply no wrongdoing by Provenio or Patties Foods, nor do I claim that any customer data or vendor data was or is presently at imminent risk. As an ethical security researcher, I do not download the data I discover and only take a limited number of screenshots for verification purposes. Although any data exposure is a potential security concern, it is also a learning experience and an opportunity to strengthen the cybersecurity of the products and services a company offers. It is not known how long the two separate databases were publicly accessible. Only through an internal forensic investigation would Provenio be able to identify this information and any suspicious activity.