Tabb Inc. Security Gaffe Exposes 200,000 Background Check Files for More Than Six Months (1)

• An unsecured backup blob exposed pre-employment background checks on approximately 200,000 people.

• Applicant files contained various amounts of personal and occupational information, including SSN, name, address, driver’s license, date of birth, education and employment history, and in some cases, criminal background checks. Files went back 15 years. 

• The blob was unsecured for at least six months and possibly much longer. 

Some attempts to help companies or organizations by alerting them to their data exposures can be frustrating. This is one of those frustrating ones.

This story begins with a student researcher previously known as “JLT” on DataBreaches.net. On or about February 15, JLT noticed that a server was listed on GrayhatWarfare with the name Tabbinc. At the time, he had no idea what the firm was and did not look into it. It was not until July 12 that he found and started to investigate the exposed container.

After seeing that it contained sensitive personal job applicant information, JLT (also known as “JayeLTee”) consulted Tabb’s website and found that privacy concerns should be directed to Brian Bodkin, Chief Privacy Officer, at bbodkin@tabb[.]net. On July 20, he responsibly emailed Bodkin with a cc: to info@tabb[.net]. His email included URLs from the firm’s unsecured blob to provide proof and examples of the exposed files.

On July 24, having received no reply, JayeLTee emailed Tabb again. This time, he cc’d DataBreaches and told Tabb he was cc’ing this site. His email began, “I’ve tried reaching out to you on the 20th but I’ve not heard anything back and your server is still exposed so here I am again.”  JayeLTee repeated the information on the exposed server and files. This time, he added:

I’ve also read your Data Privacy Framework posted here: https://tabb.net/data-privacy-framework-policy/ According to Section 4. you claim double encryption of PII and none of this documents are encrypted at all, worse they are publicly exposed. If you keep ignoring my emails and do not lock this down and then disclose the issue if necessary and required by law, I may file a notification with the FTC and Consumer Financial Protection Bureau so this can be handled. I am cc:ing a reporter who will also be following up on this.

What did Tabb do after receiving that email, you wonder?  Nothing.

More Attempts to Get Tabb to Lock Down Their Data

Because Tabb failed to respond to JayeLTee’s emails, DataBreaches attempted different approaches that included a contact form on their website, an email on August 8 that included a copy of JayeLTee’s correspondence, voicemails left for Brooklyn Hospital Center that their vendor was leaking their job applicants’ information and they should contact Tabb and tell them to lock down their data, a phone call to a job applicant at Brooklyn Hospital Center who did call back and then called the hospital to express her concern about the security of her application, phone calls to Englewood Health and Christian Health to also alert them that their job applicants’ files were exposed on the internet by Tabb, an email to Barb Wyskowski, J.D. and Brian Bodkin of Tabb on August 12, and then a phone call to Tabb on August 13.

Whoever answered the phone at Tabb on August 13 said his name was “Brian” and that there was no IT department to be connected to. When DataBreaches started to explain about the unsecured blob and multiple attempts to notify them, he became defensive and offensive, claiming that he was the recipient of all contact forms and emails and there had been none. When he found them after being told what to search for, he complained that they had gone to spam (as if his settings for his spam filters were our fault)?

Things got more heated on the phone when he actually complained that JayeLTee hadn’t just picked up the phone and called him. He was told that the researcher was in the EU. “They have phones in the EU,” Brian said. He also complained that DataBreaches hadn’t called them sooner. [Note: As a matter of policy, unless there is an immediate danger or threat to life, DataBreaches first uses written communications to establish proof of what an entity was told and when. The written documentation may be needed for complaints to regulators.]

Things got so heated on the phone that DataBreaches actually became angry and hung up on “Brian.”

Tabb Responds

Shortly after DataBreaches hung up, DataBreaches and JayeLTee received an email from Brian Bodkin in reply to this site’s August 8 email.  It was a somewhat stunning response to read:

Dissent and Jayeltee

I’m reading that ProtonMail was just hit by a Russian phishing cyber attack.

I will look into your claims that so far have no evidence. If you found that our reports are leaking, please provide a copy of a report or where they can be found to add credibility to your accusations.

I spoke to the person you called at Brooklyn Hospital and she stated that you would not provide any evidence of a hack to her.

Azure has reported to us that there has not been a data breach of our account.

DataBreaches responded:

Mr. Bodkin:

If you had scrolled down the email chain, you would have seen — and can still see below — that jayeltee provided you with samples of the exposure in his July 24 email by giving you a link to the exposed server at

[redacted]

In the same email of July 24, he also wrote to you: “Some examples of the exposed files:”

[redacted]

Click on the links and you will see three of the approximately 200k files that are exposed in your unsecured blob. If you are afraid to click on links to your own backup blob, have your IT person or vendor or whoever is responsible for the blob check them.

As far as we know, there has been no hack of your account, although by now, criminals may have accessed and copied the exposed files. Hopefully you have good access logs going back to when the blob went online without security so you can determine how many unauthorized IP addresses may have accessed data.

By the way: I did not give the hospital the link to the data as it would expose other clients’ data to them. I tried to protect you by not giving them access to 200,000 files but told them to call you and tell you to get your backup locked down.

There has been no phishing attack and Proton has nothing to do with any of this. You just have an unsecured backup that anyone can find, access, and download, and that jayeltee kindly tried to responsibly alert you to.

Jayeltee did not seek any payment or compensation from you for his attempt to alert you to your security problem. I did not seek anything from you for spending my time trying to alert you to your security problem.

I don’t know about JayelTee, but I am done trying to help you.

/Dissent

Now you might think that should have been sufficient. But no, Bodkin replied:

Yes I saw below.

Like I’m really going to click on links from some unknow people with unknown intents. Why not send a PDF?

Did he check out the links to our sites? The “About” page on this site even has a section for people who may be contacted by this site. Did he look us up on LinkedIn where it also tells people who are contacted how to verify that we are legitimately trying to contact them?  Did he not recognize his own blob address? Doesn’t he know that opening .pdf files from unknown people is a greater risk than clicking on a link to his own file on his own blob?

At that point, JayeLTee lost his patience, too, and jumped in. He wrote:

Ok I’m replying to this because I can clearly see you are clueless how a cloud storage server works or what even is your company Azure server, else you would clearly see that link is directly from your own server, so if that was a virus, your company is the one hosting it on their server. But hey here you go, attached are some files of your reports and the over 200,000 links to the rest of the files.

Just a tip: Stop trying to do IT work you’re clearly not qualified for and hire someone who is, can only imagine how the rest of your IT system is if this is the kind of replies you are sending.

JayeLTee

Bodkin did not respond to JayeLTee, but sent a separate email to DataBreaches in response to my last email to them:

Our IT team will look into this tonight.

How did you come upon these leaks?

Shortly thereafter, the blob and files were locked down.

DataBreaches did not reply to his email.

Tabb’s Claims About Security

In one of its posts on LinkedIn tooting its own horn about being accredited by the Professional Background Screening Association (PBSA), Tabb claims:

PBSA accredited providers adhere to strict data security protocols and comply with relevant privacy laws, safeguarding the confidentiality and integrity of applicant data throughout the screening process.

Legal Compliance and Risk Mitigation:

PBSA accredited companies follow evolving legal requirements and ensure that their screening practices align with current regulations. By partnering with an accredited provider, businesses can mitigate legal risks and safeguard their reputation by demonstrating a commitment to compliance and ethical conduct.

TABB INC. accreditation from the PBSA signifies our adherence to rigorous standards, enhanced accuracy and quality, robust data security measures, and legal compliance.

Robust data security measures? Where was the encryption on closed investigation files they claim they deploy? Where was the protection on a backup with more than 200,000 records? Where was their procedure for receiving and escalating alerts about their data security?

And do they have logs that show when the blob was first online without any security and how many unauthorized IP addresses accessed which files?

What Should Applicants and Clients Do?

Tabb Inc. stored data from a number of clients in the backup. Tabb pitches one of its services to the healthcare sector, which may account for the number of health entities noted in the exposed files. DataBreaches did not analyze all the data, but any hospital, health facility, or business that used Tabb’s pre-employment background check services or criminal background check services in the past 15 years may wish to contact Tabb if Tabb does not reach out to them to disclose this incident.

As noted earlier, Englewood Health was one of the healthcare clients that DataBreaches called when Tabb had not been responding to notifications. Englewood Health called DataBreaches to ask for more information about the incident and why we had called them. They have already started following up by requesting and receiving additional information from DataBreaches.  Brooklyn Hospital Center, who had also been called, never called DataBreaches to follow up, despite two phone calls to their HR department to alert them that job applicant data was leaking.

Under some states’ breach notification laws, notification to job applicants whose SSN, driver’s license, or other personal information was exposed may be required. Will Tabb be making notifications? Will their clients? The answer may depend, in part, on whether Tabb has access logs going back to when the blob was first exposed without security.

Updated August 17:

DataBreaches and JayeLTee received an email this morning saying:

Thank you for the notification. The breach was corrected the day you emailed me. Notifications will go out to all affected by this beach.

A forensic investigation will dig deeper into why this happened and any security measures that need to be improved.