We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Over 2,300,000 records of Family Entertainment Business Were Exposed in Data breach

Over 2,300,000 records of Family Entertainment Business Were Exposed in Data breach
Jeremiah Fowler Published on 11th March 2024 Cybersecurity researcher

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password protected database that contained over 2.3 million documents belonging to Kids Empire, an US operator of recreational centers.

The publicly exposed database contained 2,363,222 documents in.PDF and.PNG formats with a total size of 92.3 GB. These included reservations, injury waivers, and receipts with partial credit card numbers and transaction details. Additionally, there were digital gift cards with no expiration date, source images for websites and templates. I immediately sent a responsible disclosure notice to Kids Empire. The database remained publicly accessible for at least three weeks before it was finally restricted. It is unclear how long the data was exposed or if anyone else may have had access to the non-password-protected database, as only an internal forensic audit could identify this information. Once the database was secured, Kids Empire representatives thanked me by email for my notification and indicated future steps they will take for data protection.

According to the PitchBook profile: Kids Empire is an operator of recreational centers intended to provide indoor fun facilities for kids. The company's centers offer parks that are temperature-controlled, safe, and clean where the small kids can enjoy a variety of games or delight themselves on the dance floor, enabling caregivers to keep an eye on the children while they enjoy their leisure time.

The data exposure poses potential privacy risks to customers by revealing personally identifiable information (PII) such as names, physical and email addresses, phone numbers, and details about the reservations. The mandatory waivers included the child’s name as well as the parent’s personal information and signature. Kids Empire has 68 locations across 18 states, including Arizona, California, Colorado, Florida, Georgia, Iowa, Illinois, Indiana, Kansas, Michigan, Minnesota, Missouri, Nevada, New Jersey, Pennsylvania, Texas, Utah, and Virginia.

The potential risks of exposing customer information can have a wide range of implications. Cyber criminals increasingly use sophisticated methods of social engineering to obtain additional personal, credit card, or banking information. According to the FBI, 98% of all cyber crimes start with social engineering. One hypothetical example would be a criminal calling a customer and using internal information to pose as a Kids Empire employee. They could say something like “I see you recently were at X location, and we want to offer you a refund of $X.XX to your card ending in #1234, can you please provide me with the rest of the number and the CVV security number on the back of the card?” I am not saying that any Kids Empire customers are inherently at risk of this type of fraudulent activity, I am only providing a real world example for educational purposes. I recommend that anyone who receives suspicious communications asking for payment information always confirm that it is a legitimate request. The first step to do so is verifying that the person you are speaking with is who they say they are by using only official channels such as company email addresses or phone numbers.

In any data breach, the most significant potential risk is identity or financial theft. Although the records contained only partial credit card numbers, type of card, and transaction numbers, any internal customer information can serve as a puzzle piece to create a full target profile for criminals. Another potential risk would be malicious actors trying to exploit exposed information for targeted phishing attacks against customers. In this particular case — and in any data exposure — it is crucial for customers to be familiar with known deceptive tactics used by criminals online and offline. This way, the probability of falling victim to such methods is lower.

Even though Kids Empire provides an offline service for family entertainment, this exposure shows how data is now a prevalent part of nearly all aspects of life. In an era where digital threats are constantly evolving, I urge companies to take proactive steps such as encrypting internal records, regularly updating security protocols, and conducting comprehensive risk assessments on the environments where sensitive data is stored. I highly recommend that companies that collect and store data have a dedicated communication channel for data and privacy issues that is separate from customer support. Offline businesses do not usually train their customer support representatives to handle data security protocols, which can lead to delays in addressing potential security incidents, and thereby put potentially sensitive customer or business information at further risk. During a data breach, every second counts. Being prepared with a plan in place is a great proactive way to mitigate and minimize the potential damage of the exposure.

I imply no wrongdoing by Kids Empire, nor am I suggesting that any customers or their data was ever at risk. As an ethical security researcher, I never download the data I discover and only conduct a limited manual review for verification and notification purposes. My investigations are strictly confined to a limited manual review, solely undertaken for the purposes of verification and subsequent notification to the relevant parties. Any discussion of hypothetical risks is intended purely for educational purposes, aiming to foster awareness and promote better security practices.

 

Disclaimer: The content and images in this article are the property of vpnMentor. We permit our images and content to be shared, as long as a credit with a link to the source is provided to vpnMentor as the original author. This way, we can continue our mission to provide expert content and maintain the integrity of our intellectual property.

About the Author

Jeremiah, an experienced cybersecurity researcher at vpnMentor and co-founder of Security Discovery, is renowned for uncovering some of the world’s most significant data breaches. Together with the vpnMentor team, he has been instrumental in securing the personal data of millions globally.

His journey in cybersecurity, sparked by his interest in a data breach at a former company, transformed from a passion into a recognized expertise, establishing him as a respected thought leader in the industry.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address