Expert Comments

Experts Insight On Decathlon Suffers Major Breach Impacting Over 120 Million Customers

Expert(s): Security Experts
Expert(s): Security Experts

French sports giant Decathlon has leaked over 123 million records via an improperly secured ElasticSearch server, according to security researchers Noam Rotem and Ran Locar at VPNmentor. The two spotted the database on February 12 and notified the company four days later. (They say they typically need “days of investigation before we understand what’s at stake or who’s leaking”). Decathlon has 44 stores around the UK, and is present in 46 countries. It employs over 90,000 globally and turns over €11 billion+ in revenues annually. It pulled down the server shortly after being notified.

Experts Comments

Dot Your Expert Comments
Yana Avezova
February 27, 2020
Analyst
Positive Technologies

In particular, specific authentication controls should be implemented. In this case, ElasticSearch uses the X-Pack plugin.
Major data leaks from ElasticSearch servers, as was the case with Decathlon, are occurring with increasing frequency. This problem is not related to a specific industry and is relevant for any company in which large volumes of information are stored and processed using ElasticSearch software. In the case of Decathlon, we see several security issues that led to the leak. First, there is a misconfiguration. ElasticSearch nodes, to work effectively, are added to a cluster. For each node, the.....Read More
Major data leaks from ElasticSearch servers, as was the case with Decathlon, are occurring with increasing frequency. This problem is not related to a specific industry and is relevant for any company in which large volumes of information are stored and processed using ElasticSearch software. In the case of Decathlon, we see several security issues that led to the leak. First, there is a misconfiguration. ElasticSearch nodes, to work effectively, are added to a cluster. For each node, the port that other nodes in the cluster use when communicating with this one must be available and open. The easiest, and most unsafe way to ensure unsecure interaction between nodes is to have unrestricted access, and some administrators do just that. As a result, servers with ElasticSearch become available to any Internet user. Another common mistake is the lack of authentication - in other words - the data is available to download without entering a password. Administrators should pay more attention to security issues, especially by using settings that help protect databases from unauthorised access. In particular, specific authentication controls should be implemented. In this case, ElasticSearch uses the X-Pack plugin. Secondly, from the screenshots available on the vpnMentor website, we can see that Decathlon uses a log management solution based on ElasticSearch. The problem with this is that personal information and credentials got into the logs in plain text - this is unacceptable. Before writing to the log, critical data must be deleted or masked.  Read Less
Cath Goulding
February 27, 2020
CISO
Nominet

Cloud isn’t inherently unsecure, but we do need to be adapting our due diligence to fit this new environment.
Decathlon is only the latest company to suffer from the security risks of a misconfigured database, but the lessons here are not only about cloud and configuration, it’s about a multi-layered approach to cyber. While the term is often used as a throwaway comment or advice from security vendors, it’s clear that there is still a long way to ago to achieve a truly multi-layered defence in depth approach. It is by layering security – for example checking configurations, managing cloud.....Read More
Decathlon is only the latest company to suffer from the security risks of a misconfigured database, but the lessons here are not only about cloud and configuration, it’s about a multi-layered approach to cyber. While the term is often used as a throwaway comment or advice from security vendors, it’s clear that there is still a long way to ago to achieve a truly multi-layered defence in depth approach. It is by layering security – for example checking configurations, managing cloud security and implementing robust encryption – that hackers can be stopped in their tracks and prevented from carrying out a successful exfiltration. A cloud environment carries different risks than traditional on-site servers, as control and visibility is often reduced for the security teams. However, responsibility for data security within the cloud still rests with the company using the service, and as such they should ensure they are not only taking every precaution to secure the data but also asking the right questions to the cloud provider. Cloud isn’t inherently unsecure, but we do need to be adapting our due diligence to fit this new environment.  Read Less
Jake Moore
February 27, 2020
Cybersecurity Specialist
ESET

Account owners will need to be certain that they haven't used the same password for their Decathlon account in other online accounts.
The implications of such exposed data could be catastrophic to the victims involved, and such a large amount of personal data on each of the victims is more than I would usually see in an attack like this. Bank fraud and identity theft are naturally the first areas of concern, but with this amount of data at their disposal, the possibilities are endless to bad actors. It would take a significant amount of work to mitigate the risk, but extra fraud protection on the victim’s banks would be the .....Read More
The implications of such exposed data could be catastrophic to the victims involved, and such a large amount of personal data on each of the victims is more than I would usually see in an attack like this. Bank fraud and identity theft are naturally the first areas of concern, but with this amount of data at their disposal, the possibilities are endless to bad actors. It would take a significant amount of work to mitigate the risk, but extra fraud protection on the victim’s banks would be the first port of call. Account owners will need to be certain that they haven't used the same password for their Decathlon account in other online accounts. Hackers create tools to re-use passwords stolen in data breaches like this, which is known as 'password stuffing'. It would also be wise for all users to check they have two factor authentication implemented where possible, as this makes password stuffing attacks much harder for cyber criminals.  Read Less
Chris Miller
February 26, 2020
Regional Director, UK & Ireland at RSA Security
RSA Security

Incidents like these are a reminder that businesses need to remain accountable for protecting their data – no matter where it resides.
Incidents like these are a reminder that businesses need to remain accountable for protecting their data – no matter where it resides. While in any business it is now highly likely that some personally identifiable information will be hosted by cloud providers, this doesn’t absolve companies of responsibility; as technologies such as the cloud are embraced and used for storing data, businesses must also be mindful of the increased digital risk that this brings. Data leaks highlight the.....Read More
Incidents like these are a reminder that businesses need to remain accountable for protecting their data – no matter where it resides. While in any business it is now highly likely that some personally identifiable information will be hosted by cloud providers, this doesn’t absolve companies of responsibility; as technologies such as the cloud are embraced and used for storing data, businesses must also be mindful of the increased digital risk that this brings. Data leaks highlight the importance of not only knowing what data sits where, but also who can access it. Organisations must ensure that they are clear on the security protocols protecting their data, and look to implement robust identity access management rules so that users are authenticated, and that data can only be accessed by those that require it. This approach to digital risk management will help to ensure company data remains safe, no matter where it is.  Read Less
Ed Macnair
February 26, 2020
CEO
Censornet

It only takes one instance of human error for large amounts of sensitive data to be exposed.
The scale of this breach is not only hugely embarrassing for Decathlon but also very concerning for the employees and customers who have been put at risk. The exposed details include crucial personally identifiable information, such as social security numbers, full names and addresses, and offer cyber criminals with everything they need to launch a targeted attack. Besides the potential cyber security ramifications, as their home addresses have been exposed too, their physical safety could also .....Read More
The scale of this breach is not only hugely embarrassing for Decathlon but also very concerning for the employees and customers who have been put at risk. The exposed details include crucial personally identifiable information, such as social security numbers, full names and addresses, and offer cyber criminals with everything they need to launch a targeted attack. Besides the potential cyber security ramifications, as their home addresses have been exposed too, their physical safety could also be at risk. This is the latest in a long line of organisations that have fallen foul of an unsecured cloud database. As more organisations move data to the cloud, it is imperative that they understand that this comes with greater responsibilities and different security challenges. When it comes to cloud infrastructure configuration, it only takes one instance of human error for large amounts of sensitive data to be exposed. Companies of all sizes need to take responsibility for the data they store by implementing technology that offers them visibility and control over how sensitive data is being handled in the cloud. The key to preventing leaks such as these is a multi-layered security posture that combines best practice policies and employee awareness with the right technology.  Read Less
James McQuiggan
February 26, 2020
Security Awareness Advocate
KnowBe4

This database was sitting in a location viewable from the internet, unsecured and unencrypted.
Employees responsible for protecting and using data need to have a robust security program in place to understand the systems where data is stored and monitor all access. This database was sitting in a location viewable from the internet, unsecured and unencrypted; dangerous practices that have certainly led to exposure of a large amount of sensitive data. To have data residing on internet facing servers that were discoverable and contain a large amount of unencrypted and unsecured sensitive .....Read More
Employees responsible for protecting and using data need to have a robust security program in place to understand the systems where data is stored and monitor all access. This database was sitting in a location viewable from the internet, unsecured and unencrypted; dangerous practices that have certainly led to exposure of a large amount of sensitive data. To have data residing on internet facing servers that were discoverable and contain a large amount of unencrypted and unsecured sensitive data is like leaving your back door unlocked and ajar at home. The employees are potentially at great risk of identity theft, spear phishing and possibly physical harm because of all of the personal data exposed in this breach. If the data has been stolen from criminals, they are at risk of spear phishing emails and should be monitoring their credit accounts to make sure they are aware of all activities, like address changes, or new accounts being opened.  Read Less
Chad Anderson
February 26, 2020
Research Engineer
DomainTools

Any database containing PII should never be left unencrypted and exposed without authentication.
For years Elastic — the maintainers of the open-source Elasticsearch — charged for basic customer-safety features like encryption at rest and authentication for databases. This led to a lot of companies using open Elasticsearch clusters without proper security so it is not surprising that there are thousands of these open Elasticsearch clusters out there exposing data. Now that Amazon has open-sourced their own security tooling for Elasticsearch this is slowly improving, but that is no.....Read More
For years Elastic — the maintainers of the open-source Elasticsearch — charged for basic customer-safety features like encryption at rest and authentication for databases. This led to a lot of companies using open Elasticsearch clusters without proper security so it is not surprising that there are thousands of these open Elasticsearch clusters out there exposing data. Now that Amazon has open-sourced their own security tooling for Elasticsearch this is slowly improving, but that is no excuse for blatant GDPR violations like that from Decathlon. Any database containing PII should never be left unencrypted and exposed without authentication.  Read Less
Hugo Van den Toorn
February 26, 2020
Manager, Offensive Security
Outpost24

With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations.
Unfortunately yet another Elastic Database that is open to the public, which has nothing to do with the product itself but purely with how the vendor has decided to set up their infrastructure and deploy their software. With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to these sizes and contain this sensitive information, data is becoming increasingly valuable to our business and in some.....Read More
Unfortunately yet another Elastic Database that is open to the public, which has nothing to do with the product itself but purely with how the vendor has decided to set up their infrastructure and deploy their software. With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to these sizes and contain this sensitive information, data is becoming increasingly valuable to our business and in some cases even more valuable than money. Unfortunately, not everyone protects (your) data like the valuable asset it is. Even after vendors make statements such as ‘we take your security and privacy seriously’, we often see security ending-up somewhere on the bottom of the priority list… Assuming it made the priority list at all.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

UK Minister Raab Wakes Up to Aggressive Cyber-Attacks Targeting British...

~200K US Military Vets’ Medical Records Leaked by 3rd Pty...

Experts Responses on Verizon DBiR Findings

Expert Reaction On Researcher Proves AirTags Can Be Hacked

Babuk Ransomware Gang Again Threatens DC Police Data Release

UK Home Secretary Warns Not To Pay Out To Ransomware...

U.S. Issues Ransomware Advice For Critical Infrastructure

Android Banking Trojan- Experts Insight

TeaBot Android Bank Trojan Steals EU User Credentials

NCSC Active Cyber Defence Fourth Year Report