‘Decathlon’, one of the most popular sports gear retailers in Europe, has left an unprotected ElasticSearch server online, leaking 9GB of data comprising of 123 million records. The server reportedly belongs to the Spanish arm of the firm, but it’s possible that data from Decathlon UK are also involved in the security incident. The discovery of the leak was the work of vpnMentor researchers and occurred on February 12, 2020. Decathlon was notified on February 16, 2020, while they secured the database within the following day. Upon analyzing the data, the researchers found out that the following things have been exposed:
Besides the personal data of employees that have been leaked, Decathlon has the problem of the API details that shouldn’t have been publicly exposed. Especially when these details contain usernames and unencrypted passwords, it is like giving the keys to your network to anyone out there. Using this data, actors could very easily roam inside Decathlon’s systems, access confidential information, check local inventories, dive deeper into the PII (personally identifiable information) of particular employees such as store managers, track down employees or even customers, and eventually threaten their physical safety.
Those who have been affected by this incident are advised to contact Decathlon and ask about the level of their compromise. If you are a Decathlon employee, the only thing that you can do now is to be aware of the possible consequences of this data exposure. Receiving phishing emails containing valid information is one possibility. Falling victim to identity theft actors is another. Thus, you may want to keep an eye on your bank account activity, as well as to inform friends and family about the chances of them being contacted by someone who makes bold or weird claims about you or while posing as yourself.
Decathlon hasn’t issued an official announcement about the incident yet, although they should inform the customers at least. They blundered by leaving the database unprotected, they demonstrated a lack of basic security practices by storing data in an entirely unencrypted form, and now they are acting unethically by not informing the compromised individuals.