Over 10,000 unencrypted transaction records exposed online by DronesForLess.co.uk

Over 10,000 unencrypted transaction records exposed online by DronesForLess.co.uk

Over 10,000 unencrypted transaction records exposed online by DronesForLess.co.uk

DronesForLess.co.uk, an online seller of low cost drones in the UK, was recently found to have pasted over 10,000 online transaction records on its website without making any attempts to encrypt such data.

According to The Register, the exposed online transaction records not only revealed "names, addresses, phone numbers, email addresses, IP addresses, devices used to connect to the site, details of ordered items, the card issuer and the last 4 digits of credit cards used to pay for goods", but also revealed details of police, military, government and private customers who purchased drones on the website.

It added that the data could be accessed by anyone with even a limited knowledge of browsing on the Internet. This revelation comes at a time when GDPR is less than fifty days away and firms across the UK are rushing to ensure compliance with the landmark privacy regulation.

The Register was initially tipped off by Alan at secret-bases.co.uk, following which it investigated the exposure and found his claims to be correct. It then contacted the site's operators to report the exposure on 2nd April and it took several days for the operators to finally remove the exposed data from their website.

It is not known how long records of online transactions were stored in DronesForLess.co.uk without encryption, and whether any of that data was accessed and then misused by cyber criminals.

According to The Register, those who purchased cameras and drones on the website included not only private citizens in the UK, but also "staff from privatised defence research firm Qinetiq; the UK's Defence Science and Technology Laboratory's radar R&D base at Portsdown Hill; the Brit Army's Infantry Trials and Development Unit; UK police forces up and down the country; local councils, and governmental agencies".

This isn't the first time that sensitive and personal information of customers or employees has been stored online by firms without protecting them with adequate security. Last year, personal details of as many as 500 specialist trainee doctors at St Helens and Knowsley Teaching Hospitals NHS Trust were exposed after an internal spreadsheet containing their sensitive and private details was published online. Details in the spreadsheet included National Insurance numbers, email addresses, and home addresses of the 500 doctors.

In August last year, poor security controls implemented by SwiftQueue, an NHS contractor who managed appointments for patients seeking treatment or consultation at eight NHS trusts, allowed a hacker to access and steal sensitive details of 1.2 million patients including their names, phone numbers, email addresses, and passwords.

“I think the public has the right to know how big companies like SwiftQueue handle sensitive data. They can’t even protect patient details,” the hacker told The Sun. The hacker added that he was also able to download the contractor's entire database that contained 11 million patient records.

ALSO READ:

Leaky company databases expose 25 million accounts, researcher finds

Unsecured spam email server leaks 711 million email addresses and passwords

Copyright Lyonsdown Limited 2021

Top Articles

WhatsApp's New Privacy Policy Deadline Has Arrived

At the start of 2021, WhatsApp announced its privacy policy updates, sparking outrage and backlash from its consumers as WhatsApp will share personal information with its parent company, Facebook.

Overcoming the security challenge in remote working environments

The pandemic has changed the way we work. Remote working is no longer a nice-to-have for organisations, but a necessity especially if they want to attract the best talent.

President Biden pens Executive Order to boost US cybersecurity

US President Joe Biden signed an Executive Order this week to boost the cyber security of federal government systems and data.

Related Articles