DIY giant exposed data of suspected store thieves on the internet with no security
| No password protection on exposed details of suspected shoplifters online.
DIY superstore chain B&Q has disclosed it has taken action after becoming aware that it exposed data of suspected shoplifters on the internet, without password protection. The matter was brought to light by a security researcher last week.
He said the DIY chain had taken the data offline, but was not able to obtain a response from the company.
A B&Q spokeswoman told the BBC:
We have closed the issue down and are continuing to investigate how it occurred,
According to Lee Johnstone, chief executive of Ctrlbox Information Security, the exposed data included some 70,000 records of offender and incident logs.
Johnson stated in a blog, that the data included:
- the first and last names of individuals caught or suspected of stealing goods from stores;
- descriptions of the people involved, their vehicles and other incident-related information;
- the product codes of the goods involved; and
- the value of the associated loss
One example of the details logged read: “Offender ran out of the fire exit with Nest thermostats. The male on this occasion got away. There is no CCTV footage covering this area.”
Mr Johnstone wrote that the data was kept on an “Elasticsearch server” – an open source search engine technology that had not been set up to require user-ID authentication.
Reportedly, a spokeswoman for B&Q said the company believed the number reported in the blog was incorrect. She added that there were a number of other inaccuracies in the text. The spokeswoman declined to say what the “inaccuracies” were, but added:
Our continuing investigation will help us decide whether an ICO [Information Commissioner’s Office] notification is required,
There are no reports that the database had been accessed by any other non-authorised party.
However, Mr Johnstone wrote that he had sent several messages to B&Q before the logs became inaccessible, 11 days after he had first emailed the firm. Writing in the ctrlbox blog, he added:
On the 23rd of Jan the server finally went offline with the data no longer accessible. Its unknown if they have taken the server offline due to the notification sent out or if just by chance its been taken offline, either way its offline and its better that way.
When asked for a comment concerning the exposed data incident, a spokeswoman for the Information Commissioner’s Office said:
Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms, …If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.