Over 2,300,000 records of Family Entertainment Business Were Exposed in Data breach

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password protected database that contained over 2.3 million documents belonging to Kids Empire, an US operator of recreational centers.

The publicly exposed database contained 2,363,222 documents in.PDF and.PNG formats with a total size of 92.3 GB. These included reservations, injury waivers, and receipts with partial credit card numbers and transaction details. Additionally, there were digital gift cards with no expiration date, source images for websites and templates. I immediately sent a responsible disclosure notice to Kids Empire. The database remained publicly accessible for at least three weeks before it was finally restricted. It is unclear how long the data was exposed or if anyone else may have had access to the non-password-protected database, as only an internal forensic audit could identify this information. Once the database was secured, Kids Empire representatives thanked me by email for my notification and indicated future steps they will take for data protection.

According to the PitchBook profile: Kids Empire is an operator of recreational centers intended to provide indoor fun facilities for kids. The company's centers offer parks that are temperature-controlled, safe, and clean where the small kids can enjoy a variety of games or delight themselves on the dance floor, enabling caregivers to keep an eye on the children while they enjoy their leisure time.

The data exposure poses potential privacy risks to customers by revealing personally identifiable information (PII) such as names, physical and email addresses, phone numbers, and details about the reservations. The mandatory waivers included the child’s name as well as the parent’s personal information and signature. Kids Empire has 68 locations across 18 states, including Arizona, California, Colorado, Florida, Georgia, Iowa, Illinois, Indiana, Kansas, Michigan, Minnesota, Missouri, Nevada, New Jersey, Pennsylvania, Texas, Utah, and Virginia.

The potential risks of exposing customer information can have a wide range of implications. Cyber criminals increasingly use sophisticated methods of social engineering to obtain additional personal, credit card, or banking information. According to the FBI, 98% of all cyber crimes start with social engineering. One hypothetical example would be a criminal calling a customer and using internal information to pose as a Kids Empire employee. They could say something like “I see you recently were at X location, and we want to offer you a refund of $X.XX to your card ending in #1234, can you please provide me with the rest of the number and the CVV security number on the back of the card?” I am not saying that any Kids Empire customers are inherently at risk of this type of fraudulent activity, I am only providing a real world example for educational purposes. I recommend that anyone who receives suspicious communications asking for payment information always confirm that it is a legitimate request. The first step to do so is verifying that the person you are speaking with is who they say they are by using only official channels such as company email addresses or phone numbers.

In any data breach, the most significant potential risk is identity or financial theft. Although the records contained only partial credit card numbers, type of card, and transaction numbers, any internal customer information can serve as a puzzle piece to create a full target profile for criminals. Another potential risk would be malicious actors trying to exploit exposed information for targeted phishing attacks against customers. In this particular case — and in any data exposure — it is crucial for customers to be familiar with known deceptive tactics used by criminals online and offline. This way, the probability of falling victim to such methods is lower.

Even though Kids Empire provides an offline service for family entertainment, this exposure shows how data is now a prevalent part of nearly all aspects of life. In an era where digital threats are constantly evolving, I urge companies to take proactive steps such as encrypting internal records, regularly updating security protocols, and conducting comprehensive risk assessments on the environments where sensitive data is stored. I highly recommend that companies that collect and store data have a dedicated communication channel for data and privacy issues that is separate from customer support. Offline businesses do not usually train their customer support representatives to handle data security protocols, which can lead to delays in addressing potential security incidents, and thereby put potentially sensitive customer or business information at further risk. During a data breach, every second counts. Being prepared with a plan in place is a great proactive way to mitigate and minimize the potential damage of the exposure.

I imply no wrongdoing by Kids Empire, nor am I suggesting that any customers or their data was ever at risk. As an ethical security researcher, I never download the data I discover and only conduct a limited manual review for verification and notification purposes. My investigations are strictly confined to a limited manual review, solely undertaken for the purposes of verification and subsequent notification to the relevant parties. Any discussion of hypothetical risks is intended purely for educational purposes, aiming to foster awareness and promote better security practices.