Homeowners urged to be vigilant for scams after ‘shocking’ data breach at major smoke alarm provider

One of Australia’s largest smoke alarm companies left hundreds of thousands of documents containing sensitive customer information exposed online for nearly three months where they were “very likely” accessed by malicious actors, a cybersecurity researcher has warned.

Smoke Alarm Solutions, which operates in NSW, Victoria, Queensland and South Australia and has serviced two million properties since 2007, left 762,856 documents totalling 107GB in a non-password-protected database, according to cybersecurity researcher Jeremiah Fowler.

He says the company failed to secure the information for several months even after he sent a responsible disclosure notice.

The files included more than 355,000 detailed invoices dated from 2021 to 2024, records of inspections, estimates, compliance reports, electrical safety inspections, service quotes and service reports, Mr Fowler said in a report published by vpnMentor this week.

Nearly 25,000 additional documents marked as “on-site quotes” contained names and email addresses of the business, agent or individual obtaining a quote.

The revelation is “perfect timing”, Mr Fowler said, coming just days after the consumer watchdog warned of a surge in fake invoice scams which have cost Australians more than $16 million over the past 12 months.

“It’s very likely [the information was accessed by hackers] actually, because the bad guys are looking for the same data that I’m looking for, except when I find it I verify, validate and report it, but the bad guys are using it as a tool for scams, phishing attempts, anything they can get,” the Germany-based researcher told news.com.au.

“In this case you had templates of thousands of invoices. This company offers subscription services, you can see when the subscription is going to expire. So for example, you wait until about one month before it expires and say, ‘Hey we’re going to give you a 50 per cent discount.’”

Mr Fowler said the documents contained “details only the company and the homeowner would know”.

“Locations of smoke alarms, what type was there, the last date of work orders, so it provides this position of trust,” he said.

“The customer slash victim wouldn’t have any reason to suspect [a scam].”

Mr Fowler said he often found “very sensitive data from very small companies”.

“In this case you have a few hundred thousand customers, you don’t think of them as being technical or digital but they collect and store digital records of the services they provide,” he said.

According to the researcher, after he first notified the company he received a reply from a technology consultant that read, “We are aware of this data store. Its state is the unfortunate side effect of some work by a previous system integrator. We are actively migrating to a new customer management platform. We will block all access (or more likely, decommission) this data store as soon as we have migrated the data to our new platform.”

But Mr Fowler said it the issue was not fixed for months and it was unclear how long the documents were exposed overall.

“The worst thing was just how long it was [left online],” he said.

“I literally emailed them a follow-up email [after the initial disclosure] and was like, ‘Guys, it’s still available.’ A month-and-a-half in I actually sent them links to the cloud hosting providers on how to secure data, and it still stayed open for another month.”

A legal representative for Smoke Alarm Solutions said in a statement to Mr Fowler, “Based on the circumstances of the alleged incident as instructed by our client, the alleged incident does not, in our view, constitute a notifiable data breach under the Act, and therefore our client is not required to notify either the authorities or any individual about such alleged incident.”

Smoke Alarm Solutions has been contacted for comment.

Mr Fowler said service providers in regulated markets had a unique responsibility to protect customer data.

In Australia, all properties are legally required to have smoke alarms installed on every level of a home. The fire and security alarm installation services industry is worth around $4 billion annually, according to IBISWorld.

“In Australia it’s an interesting dynamic because you’re required to have a smoke alarm, you’ve got the penalty of law and you’ve got a company that’s going to take care of that for you,” he said.

It comes as the Australian Competition and Consumer Commission (ACCC) urges people to triple-check their invoices.

Scammers impersonate real businesses that the victim has previously interacted with and send through a bill for a service. They work in volume, hoping a tiny percentage of recipients are complacent enough to trust the unidentified number or email addresses asking them to foot a bill.

The fraudulent invoices are sometimes sent via compromised email accounts of the business or through a fake email that closely resembles the legitimate business’s email.

Victims often only realise they have been scammed when the actual business follows up on the unpaid invoice.

High-value industries such as real estate and construction are frequently targeted due to the large sums typically invoiced. Travel companies and car dealerships have also been recent targets.

But scammers also play in small numbers, regularly posing as roads services asking for recipients to pay overdue tolls.

“Scammers are sophisticated criminals and are becoming more targeted in how they exploit Australian consumers and businesses,” ACCC Deputy Chair Catriona Lowe said.

“These criminals are posing as genuine businesses that a consumer has recently dealt with, sending fake invoices with altered payment details so that the money ends up with the scammer.”

One of the worst hit victims over the past year was a couple who lost an astonishing $800,000 after paying the sum to a fraudulent bank account provided by a scammer impersonating their solicitor as they attempted to secure a property.

Another individual lost $35,000 to scammers who compromised the email of a car dealership, misleading him with a fake invoice after he had already made a secure deposit.