French sports giant Decathlon has leaked over 123 million records via an improperly secured ElasticSearch server, according to security researchers Noam Rotem and Ran Locar at VPNmentor. The two spotted the database on February 12 and notified the company four days later. (They say they typically need “days of investigation before we understand what’s at stake or who’s leaking”). Decathlon has 44 stores around the UK, and is present in 46 countries. It employs over 90,000 globally and turns over €11 billion+ in revenues annually. It pulled down the server shortly after being notified.
Experts Comments
Cloud isn’t inherently unsecure, but we do need to be adapting our due diligence to fit this new environment.
Decathlon is only the latest company to suffer from the security risks of a misconfigured database, but the lessons here are not only about cloud and configuration, it’s about a multi-layered approach to cyber. While the term is often used as a throwaway comment or advice from security vendors, it’s clear that there is still a long way to ago to achieve a truly multi-layered defence in depth approach. It is by layering security – for example checking configurations, managing cloud.....Read More
Account owners will need to be certain that they haven't used the same password for their Decathlon account in other online accounts.
The implications of such exposed data could be catastrophic to the victims involved, and such a large amount of personal data on each of the victims is more than I would usually see in an attack like this. Bank fraud and identity theft are naturally the first areas of concern, but with this amount of data at their disposal, the possibilities are endless to bad actors. It would take a significant amount of work to mitigate the risk, but extra fraud protection on the victim’s banks would be the .....Read More
Incidents like these are a reminder that businesses need to remain accountable for protecting their data – no matter where it resides.
Incidents like these are a reminder that businesses need to remain accountable for protecting their data – no matter where it resides. While in any business it is now highly likely that some personally identifiable information will be hosted by cloud providers, this doesn’t absolve companies of responsibility; as technologies such as the cloud are embraced and used for storing data, businesses must also be mindful of the increased digital risk that this brings. Data leaks highlight the.....Read More
It only takes one instance of human error for large amounts of sensitive data to be exposed.
The scale of this breach is not only hugely embarrassing for Decathlon but also very concerning for the employees and customers who have been put at risk. The exposed details include crucial personally identifiable information, such as social security numbers, full names and addresses, and offer cyber criminals with everything they need to launch a targeted attack. Besides the potential cyber security ramifications, as their home addresses have been exposed too, their physical safety could also .....Read More
This database was sitting in a location viewable from the internet, unsecured and unencrypted.
Employees responsible for protecting and using data need to have a robust security program in place to understand the systems where data is stored and monitor all access.
This database was sitting in a location viewable from the internet, unsecured and unencrypted; dangerous practices that have certainly led to exposure of a large amount of sensitive data. To have data residing on internet facing servers that were discoverable and contain a large amount of unencrypted and unsecured sensitive .....Read More
Any database containing PII should never be left unencrypted and exposed without authentication.
For years Elastic — the maintainers of the open-source Elasticsearch — charged for basic customer-safety features like encryption at rest and authentication for databases. This led to a lot of companies using open Elasticsearch clusters without proper security so it is not surprising that there are thousands of these open Elasticsearch clusters out there exposing data. Now that Amazon has open-sourced their own security tooling for Elasticsearch this is slowly improving, but that is no.....Read More
With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations.
Unfortunately yet another Elastic Database that is open to the public, which has nothing to do with the product itself but purely with how the vendor has decided to set up their infrastructure and deploy their software. With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to these sizes and contain this sensitive information, data is becoming increasingly valuable to our business and in some.....Read More
Dot Your Expert Comments
Only for registered and approved experts. Please register before providing comments. Register here
Linkedin Message
@Yana Avezova, Analyst , provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"In particular, specific authentication controls should be implemented. In this case, ElasticSearch uses the X-Pack plugin...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/experts-insight-on-decathlon-suffers-major-breach-impacting-over-120-million-customers
Facebook Message
@Yana Avezova, Analyst , provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"In particular, specific authentication controls should be implemented. In this case, ElasticSearch uses the X-Pack plugin...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/experts-insight-on-decathlon-suffers-major-breach-impacting-over-120-million-customers