It has been reported that BrandBQ, a major player in the fashion retail industry in eastern Europe, left an Elasticsearch database containing customer data unprotected for six months this year
Earlier this week, security researchers at vpnMentor revealed that they had discovered an unprotected database owned by BrandBQ that logged data obtained from the online stores of a couple of brands owned by BrandBQ- Answear, and WearMedicine.com.
According to vpnMentor, the database was over 1 terabyte in size when it was discovered and contained over 1 billion data records, including full names, phone numbers, email addresses, dates of birth, IP addresses, home addresses, gender, product searches, and payment records. Researchers observed that new logs were uploaded every hour throughout July 2020, explaining the volume of data stored.
“Every one of these entries contained a wide range of Personally Identifiable Information (PII) data for potentially millions of people. Such detailed PII data is incredibly valuable to hackers and cybercriminals, who would consider BrandBQ’s exposed database an absolute goldmine.
“Aside from activity logs detailing customers’ actions and exposing their PII data, the database also appeared to contain approximately 50,000 entries relating to what seemed to be BrandBQ’s local contractors in various countries. We believe the contractors affected were local companies who receive and handle online purchases from BrandBQ websites in their respective countries,” the firm added.
In an email sent to teiss, BrandBQ refuted vpnMentor’s stance that the unprotected database had resulted in the leakage of customer records. Based on the analysis of network traffic and logs from network devices, they said, it had been established there was no data leakage and the analysis performed showed only port scanning.
According to BrandBQ: “A database that has not been properly secured for a certain period is an additional Elastic Search database that processes system logs saved in connection with system errors and communication with external systems (warehouse system, mailing system, store application), as well as logs, orders , subscribing to the newsletter, changes in systems made by operating stores and registering users of online stores, via a browser or a mobile application.
“Logs are kept in the database for 14 days from the date of recording, and after this period they are automatically deleted. Most of the logs in this database did not contain personal data of our clients. The personal databases of any of our online stores have never been exposed to access by unauthorized users.”
While vpnMentor said BrandBQ had been contacted about the data exposure on 5th August, the company said it was only informed about the incident on 20th August and secured the unprotected database the same day. The company also reported the data security incident to the President of the Office for Personal Data Protection within the time specified in the regulations.
The company also added in the email that the database in question was technical in nature and most of the records in the database did not contain personal data. Personal data records constituted less than 1% of all records in the database and the maximum amount of customer data that appeared in the database at one time was no more than 50,000 records.
“The vulnerability concerned the log database from the following stores: wearmedicine.com, answear.bg, answear.hu, answear.sk, answear.ro, answear.cz. Data from the answear.com stores, i.e. the store servicing customers from Poland and answear.ua (for customers from Ukraine), are not stored in the above-mentioned database. These stores operate on a completely different system,” BrandBQ added.
In a separate reply sent to vpnMentor, BrandBQ admitted that between March and 20th August this year, the data of about 500,000 customers appeared in the database and each data record appeared for 14 days. The company said the database stored the basic data of customers who placed orders, subscribed to the newsletter, registered, or logged into the stores within 14 days of the event.
An excerpt of BrandBQ’s reply to vpnMentor is shown below.
It may well be that no customer data was leaked during this incident. However the existence of unsecured databases is worrying, and teiss has had numerous reports of similar incidents around the world recently. Securing databases is a fundamental part of cyber hygiene and one that all organisations that wish to secure confidential and personal data must address.