Unsecured B&Q database spills shoplifter data

• The breach in the retail firm’s database revealed data of 70,000 shoplifters in an Elasticsearch instance.
• It occurred at its subsidiary company Trade Point, the trade-only arm of the firm.

British retail firm B&Q was subject to a data breach last week. However, instead of sensitive data getting leaked out in the open, a surprising list of shoplifters was revealed.

Furthermore, the database exposed additional details such as product codes of the products being stolen, store locations with shoplifting instances and financial losses.

Elasticsearch instance

Cybersecurity expert Lee Johnstone who ascertained the details of this breach explained that the B&Q subsidiary Trade Point used an Elasticsearch instance for indexing data which was found to be exposed. Shockingly enough, the database was not found to have any authentication at all.

Interestingly enough, the database contained the information on around 70,000 shoplifters and the products they stole.

Meanwhile, Johnstone immediately contacted B&Q regarding this issue but the company is still yet to respond to fix this issue. However, their Elasticsearch server has since gone offline.

“On the 23rd of Jan, the server finally went offline with the data no longer accessible. Its unknown, if they have taken the server offline due to the notification, sent out or if just by chance its been taken offline, either way, it's offline and its better that way,” said Johnstone in the post.

Contrary to this finding, B&Q denied that the numbers mentioned by Johnstone as well as pointed to other inaccuracies in the post.

Recently Elasticsearch databases have witnessed more breaches due to use of poor security measures by database owners. Even worse, some of them have been found with basic authentication missing. Just few days ago, the data breach of 24 million loan documents in the US was the result of an unprotected Elasticsearch database too.