The France-based sports retailer Decathlon noticed recently that over 123 million records that included customer and employee information were exposed through a misconfigured database. A 9GB database on an Elasticsearch server was discovered by researchers at vpnMentor. From observations by vpnMentor, it seems as if the data belongs to Decathlon’s Spanish and UK businesses. The information included in the server was employee usernames, unencrypted passwords, Social Security numbers (SSNs), full names, addresses, mobile phone numbers, addresses, and birthdates. Also included in the database was customer information such as unencrypted email and log-in information. The company was notified four days after the database was discovered on February 16th and immediate action was taken. The database has since been made unavailable.
Analyst Notes
Due to the data included, employees could become at risk for identity fraud and customers and employees alike could be exposed to an uptick in phishing emails. To protect themselves, users should contact an identity monitoring service that can detect suspicious activity and alert users when it occurs, as well as recover stolen information. With the possibility of an increase in phishing emails, users should be aware of the warning signs and never interact with emails that come from unknown senders.
Source: https://www.infosecurity-magazine.com/news/sports-giant-decathlon-leaks-123/?&web_view=true
