French sporting retail giant Decathlon has become the latest big brand to expose user data via a misconfigured database, leaking over 123 million records including customer and employee information, according to researchers.
A team at vpnMentor uncovered the 9GB database on an unsecured Elasticsearch server. It contained information from Decathlon’s Spanish, and potentially also its UK, businesses.
“The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information,” said vpnMentor.
Leaked data included employee usernames, unencrypted passwords and personally identifiable information (PII) including social security numbers, full names, addresses, mobile phone numbers, addresses and birth dates.
The leaked data also featured customer email and log-in information, all unencrypted.
The vpnMentor team claimed that cyber-criminals could: use administrator log-ins to conduct corporate espionage, bombard customers and employees with convincing phishing emails and use PII to engage in identity fraud.
It even argued that some employees could be in physical danger.
“Employees’ positions and work locations are spread throughout this database, as well as their own physical home addresses,” the report noted. “This could lead to disgruntled former co-workers or irate customers tracking them down and threatening their physical safety and well-being.”
Decathlon is claiming that, despite the large number of records contained in the database, only a small percentage relates to actual users.
The unsecured database was discovered on February 12, with the company notified four days later. It took action almost immediately, closing down public access to the database on February 17.
Decathlon joins a long line of organizations whose cloud security configurations have been found wanting. Already in 2020, vpnMentor has uncovered a leak of 30,000 records linked to US cannabis users, and thousands of UK business professionals who were exposed via a London-based consultancy.