weerapat1003 - stock.adobe.com

VAT software supplier exposed data of millions

Eight million sales records belonging to UK and EU consumers left exposed due to misconfigured server

A MongoDB database containing the personal data of millions of UK residents was left exposed to the public internet for almost a week after its owner neglected to secure the Amazon Web Services (AWS) server that housed it.

The company in question, an unnamed software supplier, pulled records including names, email addresses, shipping addresses, purchase details, and redacted credit card numbers from the marketplace and payment system application programming interfaces (APIs) of Amazon, Ebay, PayPal, Shopify and Stripe to help merchants using these platforms calculate VAT.

It also contained Amazon Marketplace Web Services (MWS) queries including authentication tokens, API queries, AWS access key IDs and secret keys.

However, according to Comparitech threat researcher Bob Diachenko, who uncovered the exposed server on 3 February, the owner left the records visible to the web without any password or authentication needed to access it.

Because Diachenko was at first unable to identify the owner of the database, he contacted AWS, which launched its own investigation, before continuing his own.

“Time was of the essence here, since millions of UK shoppers personal, payment and shipment information was at risk, so I started to analyse the content of database and after several days I made the connection to the ultimate owner,” said Diachenko.

It took Diachenko five days to identify the company that owned the data, which responded to his initial contact and locked down the database within an hour. He said that this timeframe would have given any bad actors plenty of time to find and steal the data, although it was impossible to know for sure whether anybody had done so.

If the data was accessed, it would give cyber criminals the opportunity to pose as the likes of Amazon or PayPal to conduct targeted phishing campaigns against consumers to extract more actionable data. Such attempts could appear convincing as any cyber criminals using the compromised database would have details of customers and their purchases to hand.

Meanwhile, the MWS queries and login info, said Diachenko, could be used to query the MWS API to request specific records from suppliers’ sales databases. It is therefore advisable for suppliers to change their MWS passwords and secret keys immediately.

An Amazon spokesperson said: “We were made aware of an issue with a third-party developer (who works with a number of Amazon sellers), who appears to have held a database containing information from several different companies, including Amazon.

“The database was available on the internet for a very short period of time. As soon as we were made aware, we ensured the third-party developer took immediate action to remove the database and secure the data. The security of Amazon’s systems was not compromised in any way.”

An eBay spokesperson said: "We investigated an incident regarding information from a third party developer and can confirm that no eBay systems were compromised and no data was taken from eBay. Our customers’ privacy and data remains a top priority. We are committed to creating an experience on our sites and services that is safe, secure, and trustworthy."

Blame game

Comparitech said this latest exposure exemplified how easily and frequently personal and payment details often pass through the hands of various other organisations contracted to process, organise and analyse it.

In this case, the software company had built an app that assisted merchants using the various marketplaces involved in aggregating sales and refund data from multiple marketplaces and calculating VAT for cross-border sales in the EU.

To do so, it would have been required to properly secure the data on receipt, storage, usage and transfer – failure to do so could still result in suspension of termination of its access to the platform APIs.

Comparitech said it had chosen not to disclose the name of the developer responsible for the database because it was a legitimate small business, not a criminal enterprise.

“Our intent is to raise awareness and mitigate harm to customers who might be affected, not to punish mistakes. Given that the vast majority of customers are probably not aware their data ever passed through this vendor’s hands, we do not believe there is much to be gained from exposing it,” said Comparitech.

Read more about data breaches

  • Compromised login credentials and human error were the most common causes of data breaches reported under Australia’s notifiable data breach regime from July to December 2019.
  • Cathay Pacific receives maximum financial penalty under Data Protection Act for data breach that led to nine million customers having their personal data accessed by hackers.
  • Telco provider Virgin Media confirms ‘data incident’ that left personal details of 900,000 people exposed, but denies its systems were hacked or that it suffered a data breach.

Read more on Privacy and data protection

Data Center
Data Management