[BreachExchange] Sports Giant Decathlon Leaks 123 Million Records

Destry Winant destry at riskbasedsecurity.com
Wed Feb 26 10:24:24 EST 2020 

https://www.infosecurity-magazine.com/news/sports-giant-decathlon-leaks-123/

French sporting retail giant Decathlon has become the latest big brand
to expose user data via a misconfigured database, leaking over 123
million records including customer and employee information, according
to researchers.

A team at vpnMentor uncovered the 9GB database on an unsecured
Elasticsearch server. It contained information from Decathlon’s
Spanish, and potentially also its UK, businesses.

“The leaked Decathlon Spain database contains a veritable treasure
trove of employee data and more. It has everything that a malicious
hacker would, in theory, need to use to take over accounts and gain
access to private and even proprietary information,” said vpnMentor.

Leaked data included employee usernames, unencrypted passwords and
personally identifiable information (PII) including social security
numbers, full names, addresses, mobile phone numbers, addresses and
birth dates.

The leaked data also featured customer email and log-in information,
all unencrypted.

The vpnMentor team claimed that cyber-criminals could: use
administrator log-ins to conduct corporate espionage, bombard
customers and employees with convincing phishing emails and use PII to
engage in identity fraud.

It even argued that some employees could be in physical danger.

“Employees’ positions and work locations are spread throughout this
database, as well as their own physical home addresses,” the report
noted. “This could lead to disgruntled former co-workers or irate
customers tracking them down and threatening their physical safety and
well-being.”

Decathlon is claiming that, despite the large number of records
contained in the database, only a small percentage relates to actual
users.

The unsecured database was discovered on February 12, with the company
notified four days later. It took action almost immediately, closing
down public access to the database on February 17.

Decathlon joins a long line of organizations whose cloud security
configurations have been found wanting. Already in 2020, vpnMentor has
uncovered a leak of 30,000 records linked to US cannabis users, and
thousands of UK business professionals who were exposed via a
London-based consultancy.

More information about the BreachExchange mailing list