Affecting Millions of Medical Worker Records
A major data security lapse has come to light involving an unprotected online database that left nearly 8 million files exposed to the public. The cache, weighing in at approximately 1.1 terabytes, contained highly sensitive documents including work permits, national insurance numbers, certificates, digital signatures, timesheets, personal photos, and copies of government-issued IDs. The exposed records appear to belong to employees—primarily within the healthcare sector—raising urgent privacy and data protection concerns.
What Was Discovered
The exposed database had no form of protection—no password and no encryption—making it easily accessible to anyone who stumbled upon it. In total, 7,975,438 files were made vulnerable. A close inspection revealed that many of these were document scans and images commonly required during onboarding, identity verification, and staff management processes.
Also included in the breach were 656 directories, each seemingly linked to a different company. Most of these entities were found to be staffing firms, healthcare providers, or temporary employment agencies, suggesting that the impact of this leak may extend across numerous organizations relying on shared software infrastructure.
Connection to Logezy
File names and folder structures within the exposed dataset point to Logezy, a UK-based company specializing in cloud software for workforce management. Logezy’s platform offers a suite of tools aimed at helping businesses streamline payroll, staff scheduling, compliance tracking, and employee data management, especially for temporary and contract workers.
While the evidence ties the data to Logezy’s system, it’s unclear whether the database was under the direct control of the company or managed by a third-party service provider. This lack of clarity further complicates questions around responsibility and accountability.
Timeline and Immediate Actions
The database was discovered by a researcher who promptly issued a responsible disclosure to Logezy. Shortly afterward, access to the database was restricted, and it is no longer publicly reachable. However, the duration of the exposure remains unknown, and there is no confirmation yet as to whether any unauthorized parties may have accessed or downloaded the data while it was publicly available.
A detailed forensic audit would be necessary to determine whether any malicious access occurred and to evaluate the full scope of the breach. As of now, no official comment has been released by Logezy, and it is not known whether affected users or organizations have been notified.
Focus on Healthcare Sector
Although Logezy advertises services for a broad range of industries, the files viewed in this incident were all related to healthcare workers, suggesting a concentrated risk for individuals in that field. Healthcare professionals handle critical and often confidential tasks, making this exposure particularly serious given the regulatory and reputational risks involved.
Broader Implications
This case is a sobering reminder of the vulnerabilities tied to cloud-based systems and the high stakes involved when managing personal data at scale. Even a simple misconfiguration, such as failing to password-protect a database, can result in devastating breaches affecting thousands—or even millions—of individuals.
As digital platforms become more integrated into hiring and staffing operations, companies must prioritize security alongside convenience. Compliance with data protection laws like the UK GDPR isn’t just a legal requirement—it’s a moral responsibility to the people whose data is being stored.
Until Logezy provides more information, businesses and individuals connected to the platform are left with questions and growing concern about what data may have been compromised.
