Sports retailer Decathlon left employee data exposed

Sporting goods retailer Decathlon has become the latest high-profile enterprise to suffer a data leak resulting from a misconfigured cloud service, after leaving 123 million records totalling more than 9GB of data exposed on an unsecured ElasticSearch server.

The data, which relates mostly to the French retailer’s Spanish business but may also impact the UK, was uncovered by Noam Rotem and Ran Locar of vpnMentor’s security research team, who have been conducting an extensive web mapping project highlighting the widespread problem of cloud storage services being left unprotected.

“The leaked database contains a veritable treasure trove of employee data and more,” said Rotem and Locar in their disclosure. “It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information.”

The data included employee system usernames, unencrypted passwords, API logs, API usernames and unencrypted passwords.

It also held personally identifiable information (PII) relating to staff, including their names, nationalities, birthdays, phone numbers, addresses, education details and qualifications and contract information.

Customer details included unencrypted emails and login information, private IP addresses, login attempts and API details.

Decathlon was notified of the leak on 16 February 2020, and the database was secured on 17 February, but the firm may now be at significantly increased risk of corporate espionage, account takeover and targeted phishing attempts, while enough information on employees was disclosed to easily enable cyber criminals to steal their identities.

There is also a risk of physical threats. Because data on employees’ job roles and locations was included in the database, their personal, real-world safety could be put in danger if, for example, a particularly irate customer was to get their hands on the information.

“Decathlon could easily have avoided this leak if they had taken some basic security measures to protect the database,” said Rotem and Locar. “These include, but are not limited to: secure your servers, implement proper access rules, and never leave a system that doesn’t require authentication open to the internet.”

Censornet CEO Ed Macnair said: “The scale of this breach is not only hugely embarrassing for Decathlon, but also very concerning for the employees and customers who have been put at risk. The exposed details include crucial personally identifiable information, such as social security numbers, full names and addresses, and offer cyber criminals everything they need to launch a targeted attack. Besides the potential cyber security ramifications, as their home addresses have been exposed too, their physical safety could also be at risk.

“This is the latest in a long line of organisations that have fallen foul of an unsecured cloud database. As more organisations move data to the cloud, it is imperative that they understand that this comes with greater responsibilities and different security challenges. When it comes to cloud infrastructure configuration, it only takes one instance of human error for large amounts of sensitive data to be exposed.” 

Macnair added: “Companies of all sizes need to take responsibility for the data they store by implementing technology that offers them visibility and control over how sensitive data is being handled in the cloud. The key to preventing leaks such as these is a multi-layered security posture that combines best practice policies and employee awareness with the right technology.”