PPSFamily.com (Professional Probation Services)
Over 480,000 probationers personal data exposed publicly due to a misconfiguration
Who is PPSFamily?
“At PPS, we understand the ongoing concern with privatization of probation. That is why our standards are second to none. We require a bachelor’s degree and 20 hours of training each year for our probation officers and our Department of Compliance works with each of our local field offices to ensure the ethical and appropriate enforcement of the conditions of probation. We are fully bonded and insured, and our contracts may each be terminated at any time without cause.
We operate six-day, full time offices with case transfer capabilities to more than sixty (60) locations nationwide. PPS companies offer 100% offender-funded models as well as government supplemented or fully-funded programs. We can design a funding model that fits your community’s specific needs” from PPSFamily.com website
Finding the exposed data
During the morning of October 28th while looking at some of my feeds I noticed a server with a couple of database backups and a compressed archive exposed so I went to check what they contained.
Examining the data
Part 1 - The database backups
One of the files contained logs for their web apps.
The other 3 were all backups from the same source on different dates.
The database backup contained the tables:
227BkupJudge,Activities,Addresses,Agencies,Appointments,appointment_tmp,BKUp_Apts_053124,BKUP_ProbOffice,CaseCounts,CellServices,Change_DUI_102821,Charges,ChgCOATolled2Closed,ChgCOATolled2ClosedBkup,ClassAttendance,COADeleteWarrants,CommunityService,CommunityService_BK030524,CommunityServiceDetails,Contacts,CourtOrderConditions,CourtOrderedPrograms,CourtOrderedProgramsList,Courts,CV_Template,DailyReceipts,Date_Invoice_Type,DCS_CityReference,DCS_CountyReference,Dgvlle,Dgvlle2,DlyTotals,Docs,DrugTestCost,DrugTestDates,DrugTestList,DrugTestResults,DrugTests,dummy,EMConditions,EPCS_Work,Eyes,FeeMatrix,FixValdostaCitation,Forsyth_STC_NR_Pmts,FultonStatusChg,FxWPB_Mo_ChkIn,GPMInvCrossXref,GPMPaymentInfo,GridXref,Hair,Hearings,HearingsCourtActivity,HearingsDispositions,Hold_27_Appointments,Holidays,Invoice,InvoiceBU,InvoiceBU2,InvoiceType,InvoiceTypeCourtMatrix,Judges,Languages,larrySavLog,LastViewedProb,Lists,LobbyQueue,Logs,MoShowHoldAppointments,norcrossbal,Notes,NotesActivities,Notes_GPM_OldData,Notes_GPM_OldData_BkUp,Offense,Offices,OfficesSatellite,OnlineReports,PageHits,Payee,PaymentDeletes,PaymentDetail,PaymentMethod,Payments,PaymentTypes,Persons,PetitionData,PhoneCellBad,Pictures,POChange_17_060523,prob_102621,Probationers,Probationers_010124,ProbationType,ProbationTypeMatrix,Race,SarasotaClosed,savstatus,SENTINELWarrantsCOA,SMS_Blitz,SMS_Blitz_olr,SpaldingHold,States,StatusDetails,StatusList,TCCSPmt,TCPayments,TCPaymentv2,TextMessages,TextMsgVars,tmpCourtBalance,tmpCourtBalanceCompare,tmpCV_Template,tmpDCS,tmpInv,tmpProbFeesDate,tmpRequest,tmpStatCk,tmpTestDates,UnsubscribedNumbersCDYNE,UserCourts,Users,VerifyInfo,Victims,WalkIns,WarrantData,WarrantDates,WarrantDates_Sav,wrknotes,XRef
The biggest table was Notes with almost 20 million entries, some examples with the PII stripped of them:
Good afternoon.. You arrested my 5 month high risk pregnant daughter for not being able to come an hour and half away to take a drug screen 2 days after she told you in person that she has no license or car to come the 60 mile drive from loganville to your office.. She has asked you more than once to transfer it to one of the 7 offices less than 10 minutes from her house and you won't ..','2023-03-07 14:43:12',
PC FROM DEF @ 1028 AM AND HE WAS TALKING CRAZY AND SAID THE FBI AND NAVY WAS STALKING HIM AND HE WAS STABBED LAST NIGHT AND HAS THIRTEEN STITCHES AND CAN NOT WORK FOR TWO WEEKS. DEF ALSO SAID THE FBI WAS USING INVISIBILITY CLOAKS AND STALKING HIM AND ALSO USUING MOUTHPIECES TO SPY ON HIM. CALLED JERI AT THE COURTHOUSE TO LET HER LISTEN TO THIS ALSO. TOLD DEF TO REPORT TO COURT 10/14/20 TO TELL THE JUDGE ALL OF THIS. DEF DEFINELY NEEDS A MENTAL EVAL. LC','2020-10-12 10:30:49',
The most interesting table was Probationers with 467,383 entries, the fields listed were:
ProbID, CourtID, OfficeID, SentenceDate, ProbationDate, ProbationExpires, TermMonths, ProbationTypeID, JudgeID, PO, ProbFeePerMonth, VCFFeePerMonth, StatusCurrent, FName, MName, LName, Suffix, Sex, Hair, Eyes, Height, Weight, DOB, Race, SSN, PhoneCell, PhoneHome, EMail, EnteredBy, EnterDate, PhyStreet, PhyStreet2, PhyCity, PhyState, PhyZip, MailStreet, MailStreet2, MailCity, MailState, MailZip, Employer, EmployerLocation, EmployerPhone, ReportType, DL, DLState, CLP_ProbID, EarlyTerm, ModifyBy, ModifyDate, GPMID, FirstOffender, ConditionalDischarge, DrugCourt, DUICourt, ConvDocket, PrimaryCase, HoldAndClear, FinancialNote, TollDaysRemaining, TolledWarrantOrigExpireDate, PleaInAbeyance, PostIT, DoNotText, MinMonthlyPmt, PayByDate, RandomDrugTests, RandomDrugInterval, RandomDrugTexting, DoNotClose, OfficeSatelliteID, CareCourt, VetCourt, NeedsProbUpdate, MaritalStatus, Children, NumChildren, ChildrenLiveWith, Income, EducationLevel, Language, PrevArrestNumber, PBC_Division, DrugScreenLabLocation, DrugScreenType, SPOS, InvoicesZeroed, DPA, VerifiedMeds, LSRisk, PTR_Recommended, PTR_DeniedByJudge, PTR_CourtAppearanceDate, PTR_FTADate, PTR_WarrantIssued, PTR_NewArrest, PTR_TechViol, PTR_IndigentPDAppointed, Felony, FPSKey, DaysCredit, SAP, JailHold, PaymentPlan, CBMoneyDue, ORCADocket, XKey, NonCompliant, GUID
Some stats on it:
388,685 SSN entries - 330,988 unique
222,998 email addresses - 195,936 unique
The top 10 email domains:
139830 gmail.com
26879 yahoo.com
10539 icloud.com
4430 hotmail.com
2643 aol.com
1987 outlook.com
867 live.com
707 comcast.net
589 ymail.com
532 bellsouth.net
Full list: https://pastebin.com/V5pExVVS
The user table contained 987 users with the fields:
UserID, Password, LastActivity, LastPasswordChange, ref, UserName, EMail, Phone, LName, FName, isAdmin, isActive, isPO, isReadOnly, isSuperAdmin, LogonTime, ForcePwdReset, EnterDate, EnteredBy, Street, Street2, City, State, Zip, ScreenWidth, isAdminSenior, isViewAll, Stack, WorkingOfficeID, WorkingOfficeSatelliteID, isAudit, isEmployee, is2FA, is2FAVerified, PostIT, isUtahPO, CCReportAccess, HireDate, TermDate, isGAEmployee
The top 10 email domains:
392 ppsinfo.net
178 judicialservices.com
145 gpm-probation.com
18 keyscourts.net
8 myokaloosa.com
8 cachesheriff.org
7 ironcounty.net
7 brevardfl.gov
6 integritysupervision.com
6 cachesheriff.gov
The full email domain list of the users: https://pastebin.com/ShX9Eu7P
Part 2 - The archived file
Now this file contained inside a backup of their website and configuration files with a lot of hard coded credentials. I don’t know if any of the credentials were valid, I do not test any credentials when I find them.
Some of the services that had credentials leaked:
AWS
MySQL
Email servers
Website
Licence keys for SMS service
This also contained various endpoints to query data and I tried one and I could iterate through the appointments without authentication.
Notifying the company
With the data exposed here I went to PPSFamily website and checked their Management page and matched most of them to a company email and sent a notification the same morning I found this, October 28th.
Around 5-6 hours after my email, I saw the backups weren’t accessible anymore, shortly after I saw the endpoint that was exposed and I could iterate through now gave me an error connecting.
I waited until October 31st for any contact but since the company never reached out I emailed everyone again asking what was their intention regarding the disclosure of this incident, because I would prefer to make my post only after they disclose it, if that was their intention.
The day after I sent the 2nd email I opened their website while writing about this and noticed they removed their Management and Our Companies tabs from their website.
Not sure what’s the plan here, Internet Archive and similar services exist.
How long was this exposed for and did anyone else find this?
This is something only PPSFamily can answer, I can confirm this was exposed at least from September 3rd to October 28th, but I don’t know exactly how long or who else found this data.
Final notes
PPSFamily motto like phrase on their Ethics page:
“A corporate culture of knowing right from wrong, and doing right- every time.”
Apparently the right thing to do here was ignoring the person who warned them about this and hide all the management and their companies contacts.
Time and time again this is what I get, I notify the companies, I get ignored, suddenly CEOs etc erase any connections to the company on their Social Media accounts and the public disclosure never comes.
Hopefully PPSFamily will know right from wrong when it comes to deciding if they should notify the people affected by them exposing their data publicly.
At the time of publishing this, I have yet to receive any form of communication from PPSFamily.
For more posts about what I find exposed you can check: https://infosec.exchange/@JayeLTee