Jeremiah Fowler reports:
The publicly exposed database contained 2,363,222 documents in.PDF and.PNG formats with a total size of 92.3 GB. These included reservations, injury waivers, and receipts with partial credit card numbers and transaction details. Additionally, there were digital gift cards with no expiration date, source images for websites and templates. I immediately sent a responsible disclosure notice to Kids Empire. The database remained publicly accessible for at least three weeks before it was finally restricted. It is unclear how long the data was exposed or if anyone else may have had access to the non-password-protected database, as only an internal forensic audit could identify this information. Once the database was secured, Kids Empire representatives thanked me by email for my notification and indicated future steps they will take for data protection.
[…]
The data exposure poses potential privacy risks to customers by revealing personally identifiable information (PII) such as names, physical and email addresses, phone numbers, and details about the reservations. The mandatory waivers included the child’s name as well as the parent’s personal information and signature. Kids Empire has 68 locations across 18 states, including Arizona, California, Colorado, Florida, Georgia, Iowa, Illinois, Indiana, Kansas, Michigan, Minnesota, Missouri, Nevada, New Jersey, Pennsylvania, Texas, Utah, and Virginia.
Read more at vpnMentor.