European fashion retailers have become the newest brand to expose the personal data of millions of its customers after misconfiguring cloud databases.
Researchers at vpnMentor discovered an unencrypted Elasticsearch server on June 28 and parent company BrandBQ finally secured it about a month later, on August 20.
The retailer based in Krakow operates online and physical stores throughout Eastern Europe, in: Poland, Romania, Hungary, Bulgaria, Slovakia, Ukraine and the Czech Republic. Its main brands are Answer and WearMedicine.com.
Among the one billion entries in the open database, 6.7 million records were associated with online subscribers, with each entry displaying personally identifiable information (PII) including full name, email and home address, date of birth, telephone number, and payment record (although not a detail card).
50,000 additional records relating to local contractors in certain jurisdictions including further information such as VAT numbers and purchase info. The database also contains API call logs from the Answer mobile app, showing PII on 500,000 Android app users and unknown numbers who have downloaded the iOS version, vpnMentor claims.
The revealed data could be a useful source of PII for cybercriminals to launch compelling phishing attacks and identity fraud, he added.
“The same tactics could be used against contractors who were exposed to the leak, and BrandBQ itself. A successful phishing campaign against a business can be devastating and challenging to overcome, ” the company explained in a blog post.
“In addition, it only takes one employee with no education about cybercrime to click on a link in an email that could infect the entire company’s network. With more than 700 employees, this is a real risk for BrandBQ. “
Attackers could theoretically also exploit data for corporate espionage, and use “sensitive technical information” in the database to investigate vulnerabilities to be exploited.
to request modification Contact us at Here or [email protected]