PPSFamily.com (Professional Probation Services)

Over 480,000 probationers personal data exposed publicly due to a misconfiguration

Who is PPSFamily?

“At PPS, we understand the ongoing concern with privatization of probation. That is why our standards are second to none. We require a bachelor’s degree and 20 hours of training each year for our probation officers and our Department of Compliance works with each of our local field offices to ensure the ethical and appropriate enforcement of the conditions of probation. We are fully bonded and insured, and our contracts may each be terminated at any time without cause.

We operate six-day, full time offices with case transfer capabilities to more than sixty (60) locations nationwide. PPS companies offer 100% offender-funded models as well as government supplemented or fully-funded programs. We can design a funding model that fits your community’s specific needs” from PPSFamily.com website

Finding the exposed data

During the morning of October 28th while looking at some of my feeds I noticed a server with a couple of database backups and a compressed archive exposed so I went to check what they contained.

Screenshot of an alert showing the exposed data. First alert I have for this data goes back to September 3rd.

Text within this block will maintain its original spacing when published

Examining the data

Part 1 - The database backups

One of the files contained logs for their web apps.

The other 3 were all backups from the same source on different dates.

The database backup contained the tables:

227BkupJudge,Activities,Addresses,Agencies,Appointments,appointment_tmp,BKUp_Apts_053124,BKUP_ProbOffice,CaseCounts,CellServices,Change_DUI_102821,Charges,ChgCOATolled2Closed,ChgCOATolled2ClosedBkup,ClassAttendance,COADeleteWarrants,CommunityService,CommunityService_BK030524,CommunityServiceDetails,Contacts,CourtOrderConditions,CourtOrderedPrograms,CourtOrderedProgramsList,Courts,CV_Template,DailyReceipts,Date_Invoice_Type,DCS_CityReference,DCS_CountyReference,Dgvlle,Dgvlle2,DlyTotals,Docs,DrugTestCost,DrugTestDates,DrugTestList,DrugTestResults,DrugTests,dummy,EMConditions,EPCS_Work,Eyes,FeeMatrix,FixValdostaCitation,Forsyth_STC_NR_Pmts,FultonStatusChg,FxWPB_Mo_ChkIn,GPMInvCrossXref,GPMPaymentInfo,GridXref,Hair,Hearings,HearingsCourtActivity,HearingsDispositions,Hold_27_Appointments,Holidays,Invoice,InvoiceBU,InvoiceBU2,InvoiceType,InvoiceTypeCourtMatrix,Judges,Languages,larrySavLog,LastViewedProb,Lists,LobbyQueue,Logs,MoShowHoldAppointments,norcrossbal,Notes,NotesActivities,Notes_GPM_OldData,Notes_GPM_OldData_BkUp,Offense,Offices,OfficesSatellite,OnlineReports,PageHits,Payee,PaymentDeletes,PaymentDetail,PaymentMethod,Payments,PaymentTypes,Persons,PetitionData,PhoneCellBad,Pictures,POChange_17_060523,prob_102621,Probationers,Probationers_010124,ProbationType,ProbationTypeMatrix,Race,SarasotaClosed,savstatus,SENTINELWarrantsCOA,SMS_Blitz,SMS_Blitz_olr,SpaldingHold,States,StatusDetails,StatusList,TCCSPmt,TCPayments,TCPaymentv2,TextMessages,TextMsgVars,tmpCourtBalance,tmpCourtBalanceCompare,tmpCV_Template,tmpDCS,tmpInv,tmpProbFeesDate,tmpRequest,tmpStatCk,tmpTestDates,UnsubscribedNumbersCDYNE,UserCourts,Users,VerifyInfo,Victims,WalkIns,WarrantData,WarrantDates,WarrantDates_Sav,wrknotes,XRef

The biggest table was Notes with almost 20 million entries, some examples with the PII stripped of them:

Good afternoon.. You arrested my 5 month high risk pregnant daughter for not being able to come an hour and half away to take a drug screen 2 days after she told you in person that she has no license or car to come the 60 mile drive from loganville to your office.. She has asked you more than once to transfer it to one of the 7 offices less than 10 minutes from her house and you won't ..','2023-03-07 14:43:12',

PC FROM DEF @ 1028 AM AND HE WAS TALKING CRAZY AND SAID THE FBI AND NAVY WAS STALKING HIM AND HE WAS STABBED LAST NIGHT AND HAS THIRTEEN STITCHES AND CAN NOT WORK FOR TWO WEEKS. DEF ALSO SAID THE FBI WAS USING INVISIBILITY CLOAKS AND STALKING HIM AND ALSO USUING MOUTHPIECES TO SPY ON HIM. CALLED JERI AT THE COURTHOUSE TO LET HER LISTEN TO THIS ALSO. TOLD DEF TO REPORT TO COURT 10/14/20 TO TELL THE JUDGE ALL OF THIS. DEF DEFINELY NEEDS A MENTAL EVAL. LC','2020-10-12 10:30:49',

The most interesting table was Probationers with 467,383 entries, the fields listed were:

ProbID, CourtID, OfficeID, SentenceDate, ProbationDate, ProbationExpires, TermMonths, ProbationTypeID, JudgeID, PO, ProbFeePerMonth, VCFFeePerMonth, StatusCurrent, FName, MName, LName, Suffix, Sex, Hair, Eyes, Height, Weight, DOB, Race, SSN, PhoneCell, PhoneHome, EMail, EnteredBy, EnterDate, PhyStreet, PhyStreet2, PhyCity, PhyState, PhyZip, MailStreet, MailStreet2, MailCity, MailState, MailZip, Employer, EmployerLocation, EmployerPhone, ReportType, DL, DLState, CLP_ProbID, EarlyTerm, ModifyBy, ModifyDate, GPMID, FirstOffender, ConditionalDischarge, DrugCourt, DUICourt, ConvDocket, PrimaryCase, HoldAndClear, FinancialNote, TollDaysRemaining, TolledWarrantOrigExpireDate, PleaInAbeyance, PostIT, DoNotText, MinMonthlyPmt, PayByDate, RandomDrugTests, RandomDrugInterval, RandomDrugTexting, DoNotClose, OfficeSatelliteID, CareCourt, VetCourt, NeedsProbUpdate, MaritalStatus, Children, NumChildren, ChildrenLiveWith, Income, EducationLevel, Language, PrevArrestNumber, PBC_Division, DrugScreenLabLocation, DrugScreenType, SPOS, InvoicesZeroed, DPA, VerifiedMeds, LSRisk, PTR_Recommended, PTR_DeniedByJudge, PTR_CourtAppearanceDate, PTR_FTADate, PTR_WarrantIssued, PTR_NewArrest, PTR_TechViol, PTR_IndigentPDAppointed, Felony, FPSKey, DaysCredit, SAP, JailHold, PaymentPlan, CBMoneyDue, ORCADocket, XKey, NonCompliant, GUID

Some stats on it:

388,685 SSN entries - 330,988 unique

222,998 email addresses - 195,936 unique

The top 10 email domains:

139830 gmail.com

26879 yahoo.com

10539 icloud.com

4430 hotmail.com

2643 aol.com

1987 outlook.com

867 live.com

707 comcast.net

589 ymail.com

532 bellsouth.net

Full list: https://pastebin.com/V5pExVVS

The user table contained 987 users with the fields:

UserID, Password, LastActivity, LastPasswordChange, ref, UserName, EMail, Phone, LName, FName, isAdmin, isActive, isPO, isReadOnly, isSuperAdmin, LogonTime, ForcePwdReset, EnterDate, EnteredBy, Street, Street2, City, State, Zip, ScreenWidth, isAdminSenior, isViewAll, Stack, WorkingOfficeID, WorkingOfficeSatelliteID, isAudit, isEmployee, is2FA, is2FAVerified, PostIT, isUtahPO, CCReportAccess, HireDate, TermDate, isGAEmployee

The top 10 email domains:

392 ppsinfo.net

178 judicialservices.com

145 gpm-probation.com

18 keyscourts.net

8 myokaloosa.com

8 cachesheriff.org

7 ironcounty.net

7 brevardfl.gov

6 integritysupervision.com

6 cachesheriff.gov

The full email domain list of the users: https://pastebin.com/ShX9Eu7P

Part 2 - The archived file

Now this file contained inside a backup of their website and configuration files with a lot of hard coded credentials. I don’t know if any of the credentials were valid, I do not test any credentials when I find them.

Some of the services that had credentials leaked:

AWS

MySQL

Email servers

Website

Licence keys for SMS service

Hard coded credentials on a php file.

This also contained various endpoints to query data and I tried one and I could iterate through the appointments without authentication.

Notifying the company

With the data exposed here I went to PPSFamily website and checked their Management page and matched most of them to a company email and sent a notification the same morning I found this, October 28th.

Email notification sent to most of PPSFamily Management Team.

Around 5-6 hours after my email, I saw the backups weren’t accessible anymore, shortly after I saw the endpoint that was exposed and I could iterate through now gave me an error connecting.

I waited until October 31st for any contact but since the company never reached out I emailed everyone again asking what was their intention regarding the disclosure of this incident, because I would prefer to make my post only after they disclose it, if that was their intention.

Email asking about PPSFamily intentions regarding disclosure.

The day after I sent the 2nd email I opened their website while writing about this and noticed they removed their Management and Our Companies tabs from their website.

Not sure what’s the plan here, Internet Archive and similar services exist.

Before and after of PPSfamily website

Text within this block will maintain its original spacing when published

How long was this exposed for and did anyone else find this?

This is something only PPSFamily can answer, I can confirm this was exposed at least from September 3rd to October 28th, but I don’t know exactly how long or who else found this data.

Final notes

PPSFamily motto like phrase on their Ethics page:

“A corporate culture of knowing right from wrong, and doing right- every time.”

Apparently the right thing to do here was ignoring the person who warned them about this and hide all the management and their companies contacts.

Time and time again this is what I get, I notify the companies, I get ignored, suddenly CEOs etc erase any connections to the company on their Social Media accounts and the public disclosure never comes.

Hopefully PPSFamily will know right from wrong when it comes to deciding if they should notify the people affected by them exposing their data publicly.

At the time of publishing this, I have yet to receive any form of communication from PPSFamily.

---

Text within this block will maintain its original spacing when published

For more posts about what I find exposed you can check: https://infosec.exchange/@JayeLTee