Decathlon, sporting retailer, leaks 123 million employee and customer records

Decathlon, giant sporting goods retailer, has leaked over 123 million employee and customer records via a misconfigured cloud database.

According to vpnMentor research, the leaked data contained information from Decathlon's Spanish businesses, and potentially UK Decathlon too.

They found that the records were greater than 9GB in size on an ElasticSearch server. The vpnMentor team discovered the breach on February 12th 2020, notified the company on February 16th 2020 and the database was finally closed on February 17th 2020.

The actual records contain a concerning amount of employee data, that could eventually facilitate a hacker to take over accounts and gain access to private information. The data impacted includes:

  • Unencrypted passwords
  • Employee usernames
  • Work email addresses
  • Employment contract information (including working hours, location, qualifications and contract period)
  • API logs
  • API username and unencrypted password
  • PII of employees (including social security numbers, nationalities, mobile phone numbers, full addresses and birthdates)
  • Customer email and login information, unencrypted
  • Private IP addresses

What kind of damage could this leaked information cause? It may lead to cyber criminals taking over accounts and obtaining otherwise confidential information about stores, employees, and customers.

The kind of attacks that could come as a result of this leak include phishing, identity theft and even physical threats. vpnMentor caution: 'This [information regarding the location of homes and workplaces] could lead to disgruntled former coworkers or irate customers tracking them down and threatening their physical safety and well-being'.

Ed Macnair, Ceo of Censornet, explains the extent of the risk: "The scale of this breach is not only hugely embarrassing for Decathlon but also very concerning for the employees and customers who have been put at risk".

"Besides the potential cyber security ramifications, as their home addresses have been exposed too, their physical safety could also be at risk", he adds.

 

The question is, could Decathlon have prevented this type of leak? Experts believe so. They give the following advice:

  • Secure your servers
  • Implement proper access rules
  • Never leave a system that doesn’t require authentication open to the internet

But Decathlon are not the only company to experience this type of breach. And they probably won't be the last.