by Danny Bradbury
When people find unsecured Elasticsearch databases online, they often contain sensitive customer information.
Not so with UK-based DIY giant B&Q, which reportedly suffered its own breach this week. Instead of customer data, an exposed Elasticsearch instance gave up information on around 70,000 shoplifters, according to Australian security researcher Lee Johnstone.
The exposed data included the names of thieves, along with the product codes of the things they had attempted to steal, the total price of the losses, and location data for the stores. Also included were detailed descriptions of people and their vehicles.
According to Johnstone’s report, the instance was operated by TradePoint, the arm of B&Q that focuses on trade-only sales.
He said that it was operating an internal program to track incidents of theft across its stores, along with information about the offenders. The retailer stored all this information in an Elasticsearch database that was connected to the public internet, and without any form of authentication.
Johnstone reports on just one juicy record from the exposed database, reporting an offender that got away. It reads:
Offender ran out of the fire exit with nest thermostats. The male on this occasion got away. There is no CCTV footage covering this area. No CCTV coverage of the theft or witnesses.
There apparently wasn’t any identifying information about the retailer involved; the security researchers had to figure out the connection to B&Q from the store geodata and the kinds of products that the light-fingered contractors had pilfered.
By his account, Johnstone made a solid effort to contact Tradepoint and B&Q, but complains that it took too much time for the security team to take down the rogue database. He initially contacted them on 12 January 2019, but in spite of assurances that they were looking …
Author: Danny Bradbury