Decathlon, the largest sporting goods retailer in the world by the number of flagship stores, has put over 123 million records in the open, in a misconfigured ElasticSearch server, found security researchers at vpnMentor. The company has now secured the database, said the vpnMentor report.
Researchers Noam Rotem and Ran Locar discovered the unsecured database on 12 February and notified the company four days later.
“It came through the usual process of our project. Our researchers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked,” vpnMentor researcher Lisa Taylor told SC Media UK.
“The database was left unencrypted and without password protection. Anyone with the right URL could just access it and all its data. Once we were certain that it belonged to Decathlon, we disclosed it to the company on 16 February. They acted quickly,” she added.
Decathlon has 1,647 stores across 57 countries as of 31 December 2019, employing more than 93,000 globally with net sales of €12.4 billion (£10.27 billion). The exposed data on the server includes detailed private information on employees and unencrypted customer emails and passwords.
The research team confirmed that the database belonged to Decathlon Spain, but there was a strong possibility of Decathlon United Kingdom information included as well.
“These are the countries where we found local Decathlon data included in the leak, but we did not go through all 123 million plus records, and it is possible that there are more locations in additional countries that were impacted,” said the vpnMentor report.
The data stolen from this trove could be used for corporate espionage, phishing, identity theft, or even physical threats, said the report.
“Employees’ positions and work locations are spread throughout this database, as well as their own physical home addresses. This could lead to disgruntled former co-workers or irate customers tracking them down and threatening their physical safety and well-being.”
Elastic NV has been frequently named in data breaches recently, ranging from marketing data to dating sites and even a national crisis. James Spiteri, global solutions lead at Elastic, attributes the situation to misconfiguration and the wide use of the service.
Yana Avezova, analyst at Positive Technologies, agrees on the issue of misconfiguration.
“ElasticSearch nodes, to work effectively, are added to a cluster. For each node, the port that other nodes in the cluster use when communicating with this one must be available and open. The easiest, and most unsafe way to ensure unsecure interaction between nodes is to have unrestricted access, and some administrators do just that. As a result, servers with ElasticSearch become available to any Internet user,” Avezova said.
Another common mistake is the lack of authentication, where the data is available to download without entering a password, she pointed out. Administrators should pay more attention to security issues, especially by using settings that help protect databases from unauthorised access. In particular, specific authentication controls should be implemented. In this case, ElasticSearch uses the X-Pack plugin, she explained.
“From the screenshots available on the vpnMentor website, we can see that Decathlon uses a log management solution based on ElasticSearch. The problem with this is that personal information and credentials got into the logs in plain text - this is unacceptable. Before writing to the log, critical data must be deleted or masked," Avezova added.
“For years Elastic charged for basic customer-safety features like encryption at rest and authentication for databases. This led to a lot of companies using open Elasticsearch clusters without proper security so it is not surprising that there are thousands of these open Elasticsearch clusters out there exposing data,” commented Chad Anderson, research engineer at DomainTools.
“Now that Amazon has open-sourced their own security tooling for Elasticsearch this is slowly improving, but that is no excuse for blatant GDPR violations like that from Decathlon. Any database containing PII should never be left unencrypted and exposed without authentication.”
Incidents like these are reminders that businesses need to remain accountable for protecting their data irrespective of its location, commented Chris Miller, regional director - UK & Ireland at RSA Security.
“In any business, it is now highly likely that some personally identifiable information will be hosted by cloud providers. This doesn’t absolve companies of responsibility. As technologies such as the cloud are embraced and used for storing data, businesses must also be mindful of the increased digital risk that this brings,” he said.