This week’s Cyber Intelligence House, Leak of the Week highlights a breach involving TransparentBPO.com, a U.S.-headquartered business process outsourcing company providing outsourced customer experience and back-office services. The company operates delivery centers in Central America and the Caribbean, serving global clients across multiple industries.
In September 2025, a dataset was released on DarkForums by a user identified as flirt, containing extensive client and personnel records. The leaked dataset totals 51,438 files across 8 folders, with a combined size of 23.4 GB. There dataset reveals 24,865 PDF, 10,529 JPG, 9,305 DOCX, 3,948 JPEG, 2,085 PNG, alongside smaller counts of legacy DOC/ODT/RTF files, multimedia, and structured data formats. These distributions indicate exposure of scanned IDs, contracts, and sensitive corporate records.
Sensitive items observed:
– “users.csv” — containing structured data with fields including email,
contact_number, complete_address, tfa_secret, token, and auth_data, exposing both PII and potential authentication material.
– PDF scans of government-issued IDs and resumes — files visibly include
candidate resumes, identity cards, and certificates, many paired with facial
photographs and employment history.
– DOCX employment applications and HR forms — containing addresses, personal contact details, references, and signatures.
– Image files (JPG, JPEG, PNG) — profile-style photographs of applicants and
employees alongside selfies used for identity verification.
– Certificates and credentials — education diplomas, aviation and IT certifications, and specialized training records that can be abused for fraud or social engineering.
Implications
For Individuals:
– Identity theft due to full exposure of identification documents, resumes, and contact details.
– Fraudulent employment and loan applications leveraging scanned certificates and resumes.
– Credential compromise if the exposed tfa_secret, token, and auth_data correlate with active accounts or systems.
For Transparent BPO:
– Regulatory exposure under data protection and privacy laws.
– Client trust impact as sensitive client-linked personnel records and authentication secrets were disclosed.
– Operational disruption from mandated notifications, potential investigations, and remediation activities.
Supply Chain Risks:
As Transparent BPO provides outsourced customer services, leaked data may intersect with client systems. Exposed tokens or two-factor secrets could provide adversaries with pathways into partner platforms, creating downstream compromise risks across multiple industries.
CIH’s Recommendations:
– Implement strong DLP controls to prevent bulk exfiltration of resumes, ID scans, and HR documents.
– Audit supplier and client integrations to confirm no API or credential-based
exposure.
– Expand monitoring of criminal forums and file-sharing platforms for further reposts or data re-use attempts.