View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 25, 2020

Decathlon Leaks 123 Million Records via Insecure Elasticsearch Server

Huge amounts of personal information exposed

By CBR Staff Writer

French sports giant Decathlon has leaked over 123 million records via an improperly secured ElasticSearch server, according to security researchers Noam Rotem and Ran Locar at VPNmentor.

The two spotted the database on February 12 and notified the company four days later. (They say they typically need “days of investigation before we understand what’s at stake or who’s leaking”).

Decathlon has 44 stores around the UK, and is present in 46 countries. It employs over 90,000 globally and turns over €11 billion+ in revenues annually. It pulled down the server shortly after being notified.

Decathlon Leaks: Reams of PII Allegedly Exposed

Among the exposed data on the server: unencrypted customer emails and passwords, API logs, comprehensive private information of employees, including contract details, dates of birth and more.

Decathlon reacted fast, closing down public access on February 17, VPNmentor said. (The server appeared to belong to Decathlon Spain, “possibly Decathlon UK as well”, the security firm noted).

The Decathlon leaks are the latest in a long line of major data exposure incidents caused by misconfigured services; typically including open source databases set up with minimal or non-existent access permissions.

Even security specialists are not immune, with Rubrik among those facing egg on its face after a misconfigured server revealed confidential client contact and configuration data early last year.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

See also: Cloud Management Specialist Rubrik Spews Customer Data After Configuration Error

A recent McAfee survey suggested that 99 percent of IaaS misconfigurations initially go unnoticed; an eye-popping figure, somewhat leavened by data showing that 60 percent of incidents are fixed within an hour).

“The enterprise companies we spoke to told us that they were aware of, on average, 37
misconfiguration incidents per month. Yet our real-world data shows that companies actually experience closer to 3,500 such incidents”, the security firm said.

Ed Macnair, CEO of Censornet, told us: “The scale of this breach is not only hugely embarrassing for Decathlon but also very concerning for the employees and customers who have been put at risk.

“The exposed details include crucial personally identifiable information, such as social security numbers, full names and addresses, and offer cyber criminals with everything they need to launch a targeted attack.”

He added: “As more organisations move data to the cloud, it is imperative that they understand that this comes with greater responsibilities and different security challenges. When it comes to cloud infrastructure configuration, it only takes one instance of human error for large amounts of sensitive data to be exposed.

“Companies of all sizes need to take responsibility for the data they store by implementing technology that offers them visibility and control over how sensitive data is being handled in the cloud.”

Decathlon has been contacted for comment.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.