A significant data exposure incident has revealed nearly 250,000 sensitive records from a misconfigured cloud storage system, believed to be associated with Rockerbox, a Dallas-based consultancy focused on tax credits. A cybersecurity expert uncovered the unsecured data and reported it to vpnMentor, underscoring how basic security oversights can open doors to highly sensitive personal information.
The database in question, totaling 286.9 GB, lacked encryption, had no password protection, and could be freely accessed by anyone with a browser. Among the 245,949 records were unencrypted Social Security numbers, full names, birth dates, home addresses, military discharge documents (DD214s), driver’s licenses, tax credit forms, and even ID cards.
Compounding the issue, the data was not only exposed but also organized in ways that made it easy to search and exploit. Many file names included personal identifiers such as applicant names, employers, and official form numbers. Alarmingly, some PDFs—though password-protected—had what appeared to be the passwords included directly in their file names, a major lapse in security protocol.
Rockerbox reportedly did not respond to the responsible disclosure, though the database was eventually secured a few days later. It remains unclear how long the records were publicly accessible or if they were accessed by unauthorized parties during that window.
“Breaches like this, with a high volume of personal and tax-related data, pose serious risks to those affected,” said Erich Kron, a security awareness expert at KnowBe4. “This type of information is a goldmine for identity thieves and scammers.”
The leaked records appear to relate to applications for federal programs like the Work Opportunity Tax Credit (WOTC) and the Employee Retention Tax Credit (ERTC), both of which involve in-depth personal and employment-related data. All this information was openly available without even minimal safeguards.
The researcher clarified that he did not bypass any protections or decrypt any files. However, the lack of proper access restrictions and the flawed naming conventions could have made it easy for even an unsophisticated attacker to locate and misuse the data.
Kron also pointed out that cybersecurity must go beyond technical fixes. “Organizations handling sensitive information must embed security into their culture,” he said. “Training employees to spot social engineering and implementing strong technical controls—like encryption and Data Loss Prevention (DLP) systems—are critical.”
This breach is particularly alarming in the context of rising fraud and identity theft. The FTC received over 1.1 million identity theft reports in 2024, with losses exceeding $12.7 billion. While there’s currently no confirmed evidence that the leaked data has been exploited, the potential damage is significant.
It’s worth noting that the company involved—Screen Technologies LLC, operating as Rockerbox.tech—has no connection to Rockerbox.com, a marketing analytics firm acquired by DoubleVerify in 2025.
This incident serves as a sobering reminder: in a world increasingly reliant on cloud-based infrastructure, even a single misconfigured storage bucket can lead to a breach with far-reaching consequences. Despite all the attention on cutting-edge cyber threats, it’s still the simplest mistakes—like leaving data unprotected—that pose some of the greatest risks.
