B&Q data leak exposes information on 70,000 thefts from its stores, including names of suspected offenders  - bandq - B&Q data leak exposes information on 70,000 thefts from its stores, including names of suspected offenders

If you run a chain of superstores up and down the UK you have to recognise that from time-to-time ne’er-do-wells are likely to steal goods from your shelves.

And so it wouldn’t be a surprise if those stores maintain a database of the names of those people who they have caught stealing products, what was stolen, the value of the good stolen, and which stores they were stolen from.

After all, you might wish to ban people who have stolen from you in the past, or suspect might steal from you in the future, from your premises.

Oh, and one thing is for sure – you certainly would want to make sure that such a database wasn’t itself to steal…

Unfortunately, according to security specialists at Ctrlbox, well-known UK household goods and hardware store B&Q has been careless with its database for tracking and thefts – leaving it wide open for anyone on the internet to access.

A database of 70,000 offender and incident logs was only supposed to be accessible internally within B&Q, but was instead exposed for anyone to access.

The offending (ho ho..) was on an ElasticSearch server – a technology used for powering search functions – and was not protected by a password.

The nature of the data (alleging possible criminal activity and including in some cases people’s names and vehicle details) meant, of course, that it could be considered highly sensitive and could have serious repercussions if it fell into the wrong hands through such sloppiness.

Database entry  - database entry - B&Q data leak exposes information on 70,000 thefts from its stores, including names of suspected offenders

That’s obviously bad. But what makes things worse is the hoops Ctrlbox had to jump through in order to get the data removed from the internet.

Having determined that the was related to B&Q by analysing GEOIP information, product codes, and types of goods listed in the exposed data, Ctrlbox’s Lee Johnstone sent a notification to the store’s support team. This was followed a day later by a message to B&Q over Twitter.

Four days after the first notification, Johnstone says that the data was still wide open:

…clearly they had not got the message and it was becoming clear that B&Q was not going to act on this any time soon, so another message was sent to support who once again assured me that the message had been sent to the right people.”

Tweet  - tweet - B&Q data leak exposes information on 70,000 thefts from its stores, including names of suspected offenders

Johnstone says that after a week he had communicated with three different support staff, but nothing had been done. He even tried messaging B&Q CEO Christian Mazauric on LinkedIn (according to Johnstone, Mazauric read the message, but never replied).

The offending ElasticSearch server only finally went offline two days ago – almost two weeks after B&Q was informed about the problem.

Companies need to act more quickly when informed of serious breaches. And all staff, even if they don’t have the ability to assess the seriousness of a issue themselves, need to understand the importance of escalating it to the right team in a prompt fashion.

- aa9ea0686c5d1aa9086d4b12c3aa05f2 s 80 d mm r g - B&Q data leak exposes information on 70,000 thefts from its stores, including names of suspected offenders

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Follow @gcluley





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here