Decathlon exposes data of millions of customers, employees
Renowned sports retailer Decathlon has been embroiled in a major controversy. The company, which sells in India and 48 other countries, has been caught exposing data of millions of its employees and customers. Someone in the company had left a server open, giving any threat actor, who knew where to look, a chance to steal all the information. Here's all about it.
Over 123 million records found leaking from open server
A few weeks back, the cybersecurity team of vpnMentor discovered an open ElasticSearch server with a database associated with Decathlon. On investigating the case, they found 9GB worth of data inside the unprotected database - all waiting to be discovered, stolen, and exploited by a hacker. The whole package, the researchers claimed, had more than 123 million records of Decathlon employees and customers.
What kind of information was exposed?
According to vpnMentor, the information exposed through the server was largely associated with the employees of Decathlon Spain and Decathlon UK and a few customers. This included a range of data, starting from the employees' official usernames, email addresses, unencrypted passwords, and qualifications to personally identifiable information like their social security numbers, nationalities, mobile phone numbers, home addresses and date of birth.
Customer data included emails, login information
Along with the huge chunk of employee data, the database also carried information on some customers, mainly their personal email addresses, private IP addresses, and unencrypted login information.
Decathlon plugged database immediately after being notified
The vpnMentor team uncovered the database on February 12 and then confirmed its ownership and alerted Decathlon on February 16. Within a day of being notified, the company took note of the matter and secured the open database on the server. However, it did not say if anyone else had accessed the server prior to researchers at vpnMentor.
Information leaked can easily be abused to target people
Even though the possibility of access remains unclear, the threat from this leak cannot be ruled out. Specifically, if a threat actor gets access to the millions of records in question here, they can easily abuse the same to target unsuspecting Decathlon customers and employees. This can end up in scary cases of phishing, financial fraud, or personal identity theft.
