DronesForLess.co.uk, an online seller of low cost drones in the UK, was recently found to have pasted over 10,000 online transaction records on its website without making any attempts to encrypt such data.
According to The Register, the exposed online transaction records not only revealed “names, addresses, phone numbers, email addresses, IP addresses, devices used to connect to the site, details of ordered items, the card issuer and the last 4 digits of credit cards used to pay for goods”, but also revealed details of police, military, government and private customers who purchased drones on the website.
It added that the data could be accessed by anyone with even a limited knowledge of browsing on the Internet. This revelation comes at a time when GDPR is less than fifty days away and firms across the UK are rushing to ensure compliance with the landmark privacy regulation.
The Register was initially tipped off by Alan at secret-bases.co.uk, following which it investigated the exposure and found his claims to be correct. It then contacted the site’s operators to report the exposure on 2nd April and it took several days for the operators to finally remove the exposed data from their website.
It is not known how long records of online transactions were stored in DronesForLess.co.uk without encryption, and whether any of that data was accessed and then misused by cyber criminals.
According to The Register, those who purchased cameras and drones on the website included not only private citizens in the UK, but also “staff from privatised defence research firm Qinetiq; the UK’s Defence Science and Technology Laboratory’s radar R&D base at Portsdown Hill; the Brit Army’s Infantry Trials and Development Unit; UK police forces up and down the country; local councils, and governmental agencies”.
This isn’t the first time that sensitive and personal information of customers or employees has been stored online by firms without protecting them with adequate security. Last year, personal details of as many as 500 specialist trainee doctors at St Helens and Knowsley Teaching Hospitals NHS Trust were exposed after an internal spreadsheet containing their sensitive and private details was published online. Details in the spreadsheet included National Insurance numbers, email addresses, and home addresses of the 500 doctors.
In August last year, poor security controls implemented by SwiftQueue, an NHS contractor who managed appointments for patients seeking treatment or consultation at eight NHS trusts, allowed a hacker to access and steal sensitive details of 1.2 million patients including their names, phone numbers, email addresses, and passwords.
“I think the public has the right to know how big companies like SwiftQueue handle sensitive data. They can’t even protect patient details,” the hacker told The Sun. The hacker added that he was also able to download the contractor’s entire database that contained 11 million patient records.