B&Q found to have leaked details of 75,000 thieves
B&Q has been found to have leaked details of 75,000 shoplifters including vehicle descriptions and full names.
The leak was found by security researcher Ctrlbox Information Security, which said the details were leaked on to the internet without password protection. The group said B&Q had removed the sensitive data and a spokesperson for the DIY retailer said: “We have closed the issue down and are continuing to investigate how it occurred.”
Ctrlbox CEO, Lee Johnstone, who was the first to inform B&Q of the leak, claims he sent the retailer numerous messages before it took action. He also claims the leaked information included descriptions of the people involved, the product codes of the goods involved and the value of the associated loss.
The leaked information is said to include descriptions of the people involved, the product codes of the goods involved and the value of the associated loss.
An example of a leaked log entry read: “Offender ran out of the fire exit with Nest thermostats. The male on this occasion got away. There is no CCTV footage covering this area.”
According to the security researcher, the data was held on an ‘Elasticsearch’ server, and open source technology which had not been set up to use user-ID authentication.
A spokesperson for B&Q said they felt that the number quoted in Ctrlbox’s research was inaccurate and that there was further inaccuracies within the text however it declined to say what they were.
A spokeswoman for Ctrlbox, said: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”
