It was reported yesterday that French sporting retail giant Decathlon leaked over 123 million records through an improperly secured ElasticSearch server, leaving customer and employee details exposed.
The leak was spotted by security researchers Noam Rotem and Ran Locar at VPNmentor on 12th February, Decathlon were notified four days later, the leak was investigated, and the server pulled down shortly after.
In light of the data breach affecting the retail firm, which has 44 UK stores, here’s how cybersecurity experts reacted:
Peter Draper, Technical Director – EMEA Gurucul:
“Improperly secured elastic search servers have been in the press for some time now. Every organisation running with Elastic search should have proactively secured them by now, obviously not the case.
At the very least some form of network traffic analysis should be in place to help detect unusual traffic if full blown UEBA is not being used.”
Stuart Sharp, VP of solution engineering at OneLogin:
“It is disappointing that in 2020 we are still seeing retailers failing to follow even the most basic steps to secure their customers’ data.
The vast majority of websites should never need to store a user’s password (instead they are stored as a one-way, non-reversable hash). Retailers with websites are still Service Providers and they have a duty of care to their users to follow security best practices — discovery of a vulnerability like this should prompt a service provider to go back to the drawing board and have a radical rethink of their approach to security.
Passwords should never be held in the clear, and all data stores should be regularly reviewed and tested to ensure they are secure. For consumers who think they may be affected should be sure to update passwords on any websites where they have used the same password and ensure that they enable 2FA on any site that holds PII, especially those that save their credit card details.”
Hugo van den Toorn, manager of offensive security at Outpost24:
“Unfortunately, yet another Elastic Database that is open to the public, which has nothing to do with the product itself but purely with how the vendor has decided to set up their infrastructure and deploy their software. With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to these sizes and contain this sensitive information, data is becoming increasingly valuable to our business and in some cases even more valuable than money.
Unfortunately, not everyone protects (your) data like the valuable asset it is. Even after vendors make statements such as ‘we take your security and privacy seriously’, we often see security ending-up somewhere on the bottom of the priority list… Assuming it made the priority list at all.”
Marco Essomba, founder, iCyber-Security:
“It is imperative for companies to understand that cloud infrastructures come with considerable risk to data theft & organisations must conduct regular security tests to ensure that servers are not misconfigured when deployed in the cloud. This can be done by conducting continuous vulnerability assessment so that when servers are exposed on the internet security flaws can be detected & remediated quickly before any damage is done.
As more organisations migrate to the cloud these types of leaks are bound to rise because security is very often an afterthought. Rigorous security checks must be put in place to ensure that when servers are moved to the cloud, security checks are embedded as part of the migration process.”
Warren Poschman, senior solutions architect at comforte AG:
“Another week, another ElasticSearch misconfigured server. This time, unfortunately, sports giant and manufacture Decathalon is the victim. It is clear that those that choose to use cloud-based databases must perform necessary due diligence to configure and secure every corner of the system properly. Sadly, with the recent wave of ElasticSearch, MongoDB, Big Data, and other Open Source breaches, it does look like security is not being taken seriously enough. Just because a product is freely available and highly scalable doesn’t mean you can skip the basic security recommendations and configurations. Beyond ensuring that products and services are correctly deployed and maintained by competent, experienced staff, organizations must also secure their cloud-based data by adopting a data-centric security model that protects the data at rest, in motion, and in use – even if a properly configured system is compromised. If anyone is still snoozing while dreaming that their data is safe while “hidden in plain sight” on an “anonymous” cloud resource, the string of lapses around ElasticSearch instances is a wakeup call in the form of a 3am fire alarm”
