Thieves’ names and descriptions made public on B&Q database

When people find unsecured Elasticsearch databases online, they often contain sensitive customer information.

Not so with UK-based DIY giant B&Q, which reportedly suffered its own breach this week. Instead of customer data, an exposed Elasticsearch instance gave up information on around 70,000 shoplifters, according to Australian security researcher Lee Johnstone.

The exposed data included the names of thieves, along with the product codes of the things they had attempted to steal, the total price of the losses, and location data for the stores. Also included were detailed descriptions of people and their vehicles.

According to Johnstone’s report, the instance was operated by TradePoint, the arm of B&Q that focuses on trade-only sales.

He said that it was operating an internal program to track incidents of theft across its stores, along with information about the offenders. The retailer stored all this information in an Elasticsearch database that was connected to the public internet, and without any form of authentication.

Johnstone reports on just one juicy record from the exposed database, reporting an offender that got away. It reads:

Offender ran out of the fire exit with nest thermostats. The male on this occasion got away. There is no CCTV footage covering this area. No CCTV coverage of the theft or witnesses.

There apparently wasn’t any identifying information about the retailer involved; the security researchers had to figure out the connection to B&Q from the store geodata and the kinds of products that the light-fingered contractors had pilfered.

By his account, Johnstone made a solid effort to contact Tradepoint and B&Q, but complains that it took too much time for the security team to take down the rogue database. He initially contacted them on 12 January 2019, but in spite of assurances that they were looking into the matter, the Elasticsearch instance only became inaccessible on 23 January 2019.

The BBC reports that B&Q refutes some of the details in the incident, questioning the numbers of records involved. It also claimed other inaccuracies without detailing what they were.

All it takes is one violation with enough personal data to warrant interest from the UK Information Commissioner, though. Under GDPR, a data breach must be reported to the regulator with full details on what happened, within 72 hours.

Not the first insecure Elasticsearch

This isn’t the first insecure Elasticsearch instance to give up sensitive data and we’re sure it won’t be the last.

Voice over IP provider served up nearly 15 million documents via an insecure server earlier this month, exposing sensitive internal credentials, while researchers found exposed records for over 100m bets processed by online gambling sites this month. Those records also included associated personal information on the customers involved.