French sports giant Decathlon has leaked over 123 million records via an improperly secured ElasticSearch server, according to security researchers Noam Rotem and Ran Locar at VPNmentor. The two spotted the database on February 12 and notified the company four days later. (They say they typically need “days of investigation before we understand what’s at stake or who’s leaking”). Decathlon has 44 stores around the UK, and is present in 46 countries. It employs over 90,000 globally and turns over €11 billion+ in revenues annually. It pulled down the server shortly after being notified.
Major data leaks from ElasticSearch servers, as was the case with Decathlon, are occurring with increasing frequency. This problem is not related to a specific industry and is relevant for any company in which large volumes of information are stored and processed using ElasticSearch software. In the case of Decathlon, we see several security issues that led to the leak.
First, there is a misconfiguration. ElasticSearch nodes, to work effectively, are added to a cluster. For each node, the port that other nodes in the cluster use when communicating with this one must be available and open.
The easiest, and most unsafe way to ensure unsecure interaction between nodes is to have unrestricted access, and some administrators do just that. As a result, servers with ElasticSearch become available to any Internet user. Another common mistake is the lack of authentication – in other words – the data is available to download without entering a password. Administrators should pay more attention to security issues, especially by using settings that help protect databases from unauthorised access. In particular, specific authentication controls should be implemented. In this case, ElasticSearch uses the X-Pack plugin.
Secondly, from the screenshots available on the vpnMentor website, we can see that Decathlon uses a log management solution based on ElasticSearch. The problem with this is that personal information and credentials got into the logs in plain text – this is unacceptable. Before writing to the log, critical data must be deleted or masked.
Decathlon is only the latest company to suffer from the security risks of a misconfigured database, but the lessons here are not only about cloud and configuration, it’s about a multi-layered approach to cyber. While the term is often used as a throwaway comment or advice from security vendors, it’s clear that there is still a long way to ago to achieve a truly multi-layered defence in depth approach. It is by layering security – for example checking configurations, managing cloud security and implementing robust encryption – that hackers can be stopped in their tracks and prevented from carrying out a successful exfiltration.
A cloud environment carries different risks than traditional on-site servers, as control and visibility is often reduced for the security teams. However, responsibility for data security within the cloud still rests with the company using the service, and as such they should ensure they are not only taking every precaution to secure the data but also asking the right questions to the cloud provider. Cloud isn’t inherently unsecure, but we do need to be adapting our due diligence to fit this new environment.
The implications of such exposed data could be catastrophic to the victims involved, and such a large amount of personal data on each of the victims is more than I would usually see in an attack like this. Bank fraud and identity theft are naturally the first areas of concern, but with this amount of data at their disposal, the possibilities are endless to bad actors. It would take a significant amount of work to mitigate the risk, but extra fraud protection on the victim’s banks would be the first port of call.
Account owners will need to be certain that they haven\’t used the same password for their Decathlon account in other online accounts. Hackers create tools to re-use passwords stolen in data breaches like this, which is known as \’password stuffing\’. It would also be wise for all users to check they have two factor authentication implemented where possible, as this makes password stuffing attacks much harder for cyber criminals.
Incidents like these are a reminder that businesses need to remain accountable for protecting their data – no matter where it resides. While in any business it is now highly likely that some personally identifiable information will be hosted by cloud providers, this doesn’t absolve companies of responsibility; as technologies such as the cloud are embraced and used for storing data, businesses must also be mindful of the increased digital risk that this brings. Data leaks highlight the importance of not only knowing what data sits where, but also who can access it. Organisations must ensure that they are clear on the security protocols protecting their data, and look to implement robust identity access management rules so that users are authenticated, and that data can only be accessed by those that require it. This approach to digital risk management will help to ensure company data remains safe, no matter where it is.
The scale of this breach is not only hugely embarrassing for Decathlon but also very concerning for the employees and customers who have been put at risk. The exposed details include crucial personally identifiable information, such as social security numbers, full names and addresses, and offer cyber criminals with everything they need to launch a targeted attack. Besides the potential cyber security ramifications, as their home addresses have been exposed too, their physical safety could also be at risk.
This is the latest in a long line of organisations that have fallen foul of an unsecured cloud database. As more organisations move data to the cloud, it is imperative that they understand that this comes with greater responsibilities and different security challenges. When it comes to cloud infrastructure configuration, it only takes one instance of human error for large amounts of sensitive data to be exposed.
Companies of all sizes need to take responsibility for the data they store by implementing technology that offers them visibility and control over how sensitive data is being handled in the cloud. The key to preventing leaks such as these is a multi-layered security posture that combines best practice policies and employee awareness with the right technology.