A European company in the field of fashion (retail sale) exposed the personal data of millions of its customers, as it used a cloud base data with incorrect configuration. The researchers of vpnMentor were the ones who discovered the unencrypted Elasticsearch server. The discovery was made on June 28 and the parent company BrandBQ insured him about a month later, on August 20.
The Krakow-based retailer has both online and physical stores. Physical stores are located throughout Eastern Europe: Poland, Romania, Hungary, Bulgaria, Slovakia, Ukraine and the Czech Republic. Its main brands are answear and WearMedicine.com.
According to researchers, the exposed base data contained about 1 billion data. Of these, the 6,7 million belonged to online customers of company. The exposed ones data include: personal identification (PII), such as full names, e-mail, home addresses, dates of birth, telephone numbers and archives payments (however there were no payment card details).
In addition, the database contained 50.000 files related to local contractors. In these cases, information such as VAT and purchase information were exposed. Finally, according to the researchers of vpnMentor, data related to the mobile application of Answear were affected, exposing personal information of 500.000 users Android application but also users of the iOS version.
Researchers believe that the exposed database contains enough data that cybercriminals could use to carry out successful and very convincing Phishing attacks.
"The same tactics could be used against contractors and BrandBQ itself. A successful one Phishing campaigning against a company can be absolutely destructive and tackling it is a challenge" explained the BrandBQ.
"Plus, all you need is one employee without training in cybercrime, to click on a malicious link in e-mail. And so the whole network of a company could be infected. With more than 700 employees, this is a real risk for BrandBQ".
According to Infosecurity Magazine, attackers could also use the exposed data to corporate espionage and take advantage of “sensitive technical informationIn the database to discover vulnerabilities that could be exploited.