An extensive collection of private personal data—nearly 250,000 records—was discovered publicly accessible due to a misconfigured cloud database, believed to be tied to Rockerbox, a tax credit consulting firm based in Dallas. Cybersecurity researcher uncovered the breach and alerted vpnMentor, revealing just how easily human error can compromise the privacy of thousands.
The database, measuring nearly 287 gigabytes, had no encryption, no login requirements, and was accessible to anyone online. Among the 245,949 files were highly sensitive documents including Social Security numbers, full names, home addresses, dates of birth, military separation records (DD214s), driver’s licenses, and tax credit application forms.
Even more troubling, the files were arranged in a way that made them easy to sort and analyze. Many included names of both applicants and their employers directly in the file titles, and some password-protected PDFs had hints—or even the actual passwords—embedded in their filenames, a dangerous and widely discouraged practice.
Although the researcher responsibly disclosed the issue, the company did not respond to his outreach. However, the database was eventually secured several days after the report. It remains unknown how long the data was exposed or whether it was accessed by cybercriminals during that time.
“This type of breach, containing such detailed personal and financial information, presents a serious risk of identity theft,” warned Erich Kron, a security awareness advocate at KnowBe4. “Scammers can use this data to impersonate victims, file fraudulent tax returns, or create convincing phishing attacks.”
The exposed documents were related to applications for federal programs like the Work Opportunity Tax Credit (WOTC) and the Employee Retention Tax Credit (ERTC), which require detailed employment and income records—precisely the kind of information criminals value most.
The researcher didn’t hack or bypass any protections; the files were simply left exposed by poor design. The absence of access restrictions and the inclusion of personal identifiers in file naming made the data especially vulnerable, even to low-level cyber threats.
Kron emphasized that security must go beyond passwords and firewalls. “Companies need to build a culture around protecting data. That means educating staff, using encryption, applying proper access controls, and deploying tools like Data Loss Prevention (DLP) systems to monitor and block unauthorized sharing of sensitive information.”
Given the growing epidemic of identity theft—over 1.1 million incidents were reported to the FTC in 2024, totaling $12.7 billion in losses—this breach, while not confirmed to have been exploited, raises serious concerns.
The affected company, Screen Technologies LLC (doing business as Rockerbox.tech), is not affiliated with Rockerbox.com, a marketing analytics company acquired by DoubleVerify in 2025. This incident is a stark reminder that, even in an era of advanced threats like AI-driven hacks and zero-day vulnerabilities, the biggest dangers often stem from basic negligence—like forgetting to secure a cloud database.
