A major data exposure incident has compromised the personal and sensitive information of nearly a quarter-million individuals, following the discovery of an unsecured database linked to Rockerbox, a Texas-based tax credit consulting firm.
Cybersecurity researcher Jeremiah Fowler, in collaboration with vpnMentor, identified a publicly accessible and unencrypted database containing 245,949 records totaling 286.9 GB. The data included personally identifiable information (PII) such as names, addresses, dates of birth, Social Security numbers (SSNs), driver’s licenses, military discharge forms (DD214s), and employment-related tax documents. Many of the files were unprotected and stored in plain text, posing a significant security risk.
The database appeared to be connected to Rockerbox, a Dallas-based company that helps employers claim tax incentives like the Work Opportunity Tax Credit (WOTC), Employee Retention Tax Credit (ERTC), and R&D credits. Although the records suggest the database originated from Rockerbox, it remains unclear whether it was directly managed by the company or by a third-party vendor. No official response was received from Rockerbox following the responsible disclosure, but the database was secured within several days of the report.
Included in the exposed data were documents labeled “forms,” stored as password-protected PDFs. However, the file names themselves often contained sensitive data such as individual names, employer information, and numeric codes. While Fowler did not attempt to unlock the protected files, he emphasized that embedding such data in file names is a poor security practice and may unintentionally increase the risk of unauthorized access through metadata, browser logs, or shared links.
Rockerbox serves a wide range of industries, including healthcare, hospitality, logistics, food processing, and skilled trades. This widespread client base means the exposure could affect individuals and businesses across the United States. Though not all files were accessible, many could be viewed using only a standard internet connection and browser.
The exposure underscores the risks of inconsistent security configurations in cloud storage. When access controls are weak or improperly set, organizations may unknowingly expose private data, leaving it vulnerable to cybercriminals. Fowler highlighted that the numeric identifiers in the file names could potentially be used to guess the passwords of protected files, although he stressed that he did not test this theory and presented it only as a hypothetical risk.
Data like SSNs, full names, dates of birth, and driver’s license numbers—especially when combined with employment and salary information—are highly valuable to identity thieves. Such data can be used to open fraudulent accounts, apply for loans, or file false tax returns. The Federal Trade Commission reported more than 1.1 million identity theft cases in 2024 alone, with losses exceeding $12.7 billion.
Fowler provided general advice for those concerned that their information may have been exposed. Individuals are encouraged to monitor financial statements, check their credit reports, and place fraud alerts or credit freezes with the major credit bureaus—Experian, Equifax, and TransUnion. The FTC’s IdentityTheft.gov platform also offers a valuable resource for recovery steps.
For businesses, the breach highlights the importance of robust data security protocols. Encryption should be standard for all files containing PII, and organizations should avoid using identifiable information in file names or URLs. Regular audits, access log reviews, and zero-trust security models are essential to protecting internal systems and sensitive data stored in the cloud.
It’s important to note that Rockerbox (Screen Technologies LLC, doing business as Rockerbox.tech) is not affiliated with Rockerbox.com, a marketing analytics firm acquired by DoubleVerify in 2025. Despite sharing the same name, the two companies operate in entirely different sectors.
Fowler made clear that his research is intended purely to raise awareness and promote best practices. He does not assert or imply that Rockerbox or any of its affiliates engaged in wrongdoing or that client data was actively compromised. His role as an ethical security researcher is to discover vulnerabilities and notify the affected parties without engaging in unauthorized access or data retention.
The breach serves as another stark reminder of how simple oversights in digital security—like misconfigured cloud storage—can lead to potentially serious consequences, even for companies with no malicious intent. Proactive security measures are no longer optional but a critical requirement in the age of widespread data-driven operations.