French sports giant Decathlon has leaked over 123 million records via an improperly secured ElasticSearch server, according to security researchers Noam Rotem and Ran Locar at VPNmentor.
The two spotted the database on February 12 and notified the company four days later. (They say they typically need “days of investigation before we understand what’s at stake or who’s leaking”).
Decathlon has 44 stores around the UK, and is present in 46 countries. It employs over 90,000 globally and turns over €11 billion+ in revenues annually. It pulled down the server shortly after being notified.
Decathlon Leaks: Reams of PII Allegedly Exposed
Among the exposed data on the server: unencrypted customer emails and passwords, API logs, comprehensive private information of employees, including contract details, dates of birth and more.
Decathlon reacted fast, closing down public access on February 17, VPNmentor said. (The server appeared to belong to Decathlon Spain, “possibly Decathlon UK as well”, the security firm noted).
The Decathlon leaks are the latest in a long line of major data exposure incidents caused by misconfigured services; typically including open source databases set up with minimal or non-existent access permissions.
Even security specialists are not immune, with Rubrik among those facing egg on its face after a misconfigured server revealed confidential client contact and configuration data early last year.
See also: Cloud Management Specialist Rubrik Spews Customer Data After Configuration Error
A recent McAfee survey suggested that 99 percent of IaaS misconfigurations initially go unnoticed; an eye-popping figure, somewhat leavened by data showing that 60 percent of incidents are fixed within an hour).
“The enterprise companies we spoke to told us that they were aware of, on average, 37
misconfiguration incidents per month. Yet our real-world data shows that companies actually experience closer to 3,500 such incidents”, the security firm said.
Ed Macnair, CEO of Censornet, told us: “The scale of this breach is not only hugely embarrassing for Decathlon but also very concerning for the employees and customers who have been put at risk.
“The exposed details include crucial personally identifiable information, such as social security numbers, full names and addresses, and offer cyber criminals with everything they need to launch a targeted attack.”
He added: “As more organisations move data to the cloud, it is imperative that they understand that this comes with greater responsibilities and different security challenges. When it comes to cloud infrastructure configuration, it only takes one instance of human error for large amounts of sensitive data to be exposed.
“Companies of all sizes need to take responsibility for the data they store by implementing technology that offers them visibility and control over how sensitive data is being handled in the cloud.”
Decathlon has been contacted for comment.