An alarming three-month oversight by a prominent Australian company has exposed hundreds of thousands of individuals to potential targeting by criminals.
A cybersecurity researcher has issued a warning about a major smoke alarm company in Australia that left a vast number of sensitive customer documents exposed online for nearly three months. During this time, it is highly probable that malicious actors gained access to these documents.
Smoke Alarm Solutions, a company that operates in multiple states and has served a large number of properties, recently had a concerning incident. Cybersecurity researcher Jeremiah Fowler discovered that the company had left a significant amount of sensitive documents, totalling 107GB, in a non-password-protected database. This oversight raises serious concerns about information security.
According to the individual, the company neglected to protect the information for an extended period of time, despite receiving a responsible disclosure notice. In a report published by VPNMentor this week, Fowler revealed that the files contained a vast amount of information. This included over 355,000 detailed invoices spanning from 2021 to 2024, as well as records of inspections, estimates, compliance reports, electrical safety inspections, service quotes, and service reports.
An extensive collection of over 25,000 documents included detailed information such as the names and email addresses of the parties involved in obtaining on-site quotes. According to Fowler, the timing of this revelation is quite opportune. It comes shortly after the consumer watchdog’s recent warning about the rise in fraudulent invoice scams, which have resulted in Australians losing over $16 million in the past year.
“It’s very likely [the information was accessed by hackers] actually, because the bad guys are looking for the same data that I’m looking for, except when I find it I verify, validate and report it, but the bad guys are using it as a tool for scams, phishing attempts, anything they can get,” the Germany-based researcher told news.com.au.
“In this case you had templates of thousands of invoices. This company offers subscription services, you can see when the subscription is going to expire. So for example, you wait until about one month before it expires and say, ‘Hey we’re going to give you a 50 per cent discount.’”
Fowler said the documents contained “details only the company and the homeowner would know”.
“Locations of smoke alarms, what type was there, the last date of work orders, so it provides this position of trust,” he said.
“The customer slash victim wouldn’t have any reason to suspect [a scam].”
Fowler said he often found “very sensitive data from very small companies”.
“In this case you have a few hundred thousand customers, you don’t think of them as being technical or digital but they collect and store digital records of the services they provide,” he said.
After being informed, the company promptly responded to the researcher’s notification with a message from a technology consultant, “We are aware of this data store. Its state is the unfortunate side effect of some work by a previous system integrator. We are actively migrating to a new customer management platform. We will block all access (or more likely, decommission) this data store as soon as we have migrated the data to our new platform.”
However, Fowler emphasised that the problem persisted for several months and that the duration of the document exposure remained uncertain.
“The worst thing was just how long it was [left online],” he said.
“I literally emailed them a follow-up email [after the initial disclosure] and was like, ‘Guys, it’s still available.’ A month-and-a-half in I actually sent them links to the cloud hosting providers on how to secure data, and it still stayed open for another month.”
In a statement to Fowler, a legal representative for Smoke Alarm Solutions provided their perspective, “Based on the circumstances of the alleged incident as instructed by our client, the alleged incident does not, in our view, constitute a notifiable data breach under the Act, and therefore our client is not required to notify either the authorities or any individual about such alleged incident.”
Smoke Alarm Solutions has been reached out to for a comment. Fowler emphasised the critical role that service providers play in safeguarding customer data in regulated markets. Smoke alarms are mandatory in all Australian properties, with installation required on every level of a home. According to IBISWorld, the fire and security alarm installation services industry has an estimated annual worth of $4 billion.
“In Australia it’s an interesting dynamic because you’re required to have a smoke alarm, you’ve got the penalty of law and you’ve got a company that’s going to take care of that for you,” he said.
As the Australian Competition and Consumer Commission (ACCC) advises individuals to thoroughly review their invoices, it is crucial to exercise caution and attention to detail.
Fraudsters mimic legitimate companies that the target has previously engaged with and send an invoice for a service provided. They operate by targeting a large number of recipients, banking on the fact that a small fraction of them will be gullible enough to believe the requests coming from unknown phone numbers or email addresses asking them to pay a bill.
Fraudulent invoices are occasionally transmitted through compromised company email accounts or via a deceptive email that closely mimics the genuine business email. Many individuals only become aware of being scammed when the business in question contacts them regarding an outstanding invoice.
Industries that deal with high-value transactions, like real estate and construction, are often the focus of attention due to the significant amounts of money involved. Travel companies and car dealerships have also been recent subjects of investigation. However, there are also individuals who engage in fraudulent activities, often pretending to be road services and requesting payment for unpaid tolls.
“Scammers are sophisticated criminals and are becoming more targeted in how they exploit Australian consumers and businesses,” ACCC Deputy Chair Catriona Lowe said.
“These criminals are posing as genuine businesses that a consumer has recently dealt with, sending fake invoices with altered payment details so that the money ends up with the scammer.”
A couple suffered a devastating loss of $800,000 when they unknowingly transferred the funds to a fraudulent bank account. The scammer, posing as their solicitor, deceived them while they were trying to finalise a property purchase. Yet another unfortunate victim fell prey to scammers who hacked into a car dealership’s email account. They cleverly deceived the individual by sending a bogus invoice, causing them to lose a staggering $35,000, even after they had taken precautions by making a secure deposit.
Public Spectrum is the first knowledge-sharing platform in Australia to embrace the entire public sector. This website is a platform where you can connect, collaborate, empower, inspire, and upskill with public sector professionals.
