UK Software company logezy exposes 8 Million healthcare worker records in unsecured database

A significant data leak has been identified involving Logezy, a UK-based employee management software company that serves the healthcare sector.

Logezy's Staff Management Software is a cloud-based solution designed for organizations managing both permanent and temporary staff, providing features for worker deployment, payments, billing, employee data management, compliance checks, timesheets, and payroll.

Cybersecurity researcher Jeremiah Fowler discovered and reported a non-password-protected database containing nearly 8 million records of sensitive personal and professional information. The publicly exposed database contained 7,975,438 files totaling 1.1 TB of data that was neither password-protected nor encrypted. The researcher notified Logezy through a responsible disclosure notice, after which the database was secured and restricted from public access.

The exposed data included:

• Work authorization documents
• National insurance numbers
• Professional certificates
• Electronic signatures
• Timesheets
• User images
• Government-issued identification documents

The database contained 656 directory entries for different companies, with most being healthcare providers, recruiting agencies, or temporary employment services. All records observed by the researcher belonged to the healthcare sector and healthcare workers.

The exposure of such sensitive data exposes risk of Identity Theft, Credential Theft, Social Engineering Attacks or sales of Personal data on the dark web.

It's not clear how long the database was exposed before discovery or whether any unauthorized parties accessed the data during this period.