It was reported yesterday that French sporting retail giant Decathlon leaked over 123 million records through an improperly secured ElasticSearch server, leaving customer and employee details exposed.
The leak was spotted by security researchers Noam Rotem and Ran Locar at VPNmentor on 12th February, Decathlon were notified four days later, the leak was investigated, and the server pulled down shortly after.
In light of the data breach affecting the retail firm, which has 44 UK stores, here’s how cybersecurity experts reacted:
Peter Draper, Technical Director – EMEA Gurucul:
“Improperly secured elastic search servers have been in the press for some time now. Every organisation running with Elastic search should have proactively secured them by now, obviously not the case.
At the very least some form of network traffic analysis should be in place to help detect unusual traffic if full blown UEBA is not being used.”
Stuart Sharp, VP of solution engineering at OneLogin:
“It is disappointing that in 2020 we are still seeing retailers failing to follow even the most basic steps to secure their customers’ data.
The vast majority of websites should never need to store a user’s password (instead they are stored as a one-way, non-reversable hash). Retailers with websites are still Service Providers and they have a duty of care to their users to follow security best practices — discovery of a vulnerability like this should prompt a service provider to go back to the drawing board and have a radical rethink of their approach to security.
Passwords should never be held in the clear, and all ..
Support the originator by clicking the read the rest link below.
