Experts Insight On Decathlon Suffers Major Breach Impacting Over 120 Million Customers

French sports giant Decathlon has leaked over 123 million records via an improperly secured ElasticSearch server, according to security researchers Noam Rotem and Ran Locar at VPNmentor. The two spotted the database on February 12 and notified the company four days later. (They say they typically need “days of investigation before we understand what’s at stake or who’s leaking”). Decathlon has 44 stores around the UK, and is present in 46 countries. It employs over 90,000 globally and turns over €11 billion+ in revenues annually. It pulled down the server shortly after being notified.


EXPERTS COMMENTS
Yana Avezova, Analyst ,  Positive Technologies
February 27, 2020
In particular, specific authentication controls should be implemented. In this case, ElasticSearch uses the X-Pack plugin.
Major data leaks from ElasticSearch servers, as was the case with Decathlon, are occurring with increasing frequency. This problem is not related to a specific industry and is relevant for any company in which large volumes of information are stored and processed using ElasticSearch software. In the case of Decathlon, we see several security issues that led to the leak. First, there is a miscon ....
[Read More >>]
Cath Goulding , CISO ,  Nominet
February 27, 2020
Cloud isn’t inherently unsecure, but we do need to be adapting our due diligence to fit this new environment.
Decathlon is only the latest company to suffer from the security risks of a misconfigured database, but the lessons here are not only about cloud and configuration, it’s about a multi-layered approach to cyber. While the term is often used as a throwaway comment or advice from security vendors, it’s clear that there is still a long way to ago to achieve a truly multi-layered defence in depth a ....
[Read More >>]
Jake Moore, Cybersecurity Specialist,  ESET
February 27, 2020
Account owners will need to be certain that they haven't used the same password for their Decathlon account in other online accounts.
The implications of such exposed data could be catastrophic to the victims involved, and such a large amount of personal data on each of the victims is more than I would usually see in an attack like this. Bank fraud and identity theft are naturally the first areas of concern, but with this amount of data at their disposal, the possibilities are endless to bad actors. It would take a significant a ....
[Read More >>]
Chris Miller, Regional Director, UK & Ireland at RSA Security,  RSA Security
February 26, 2020
Incidents like these are a reminder that businesses need to remain accountable for protecting their data – no matter where it resides.
Incidents like these are a reminder that businesses need to remain accountable for protecting their data – no matter where it resides. While in any business it is now highly likely that some personally identifiable information will be hosted by cloud providers, this doesn’t absolve companies of responsibility; as technologies such as the cloud are embraced and used for storing data, businesses ....
[Read More >>]
Ed Macnair, CEO ,  Censornet
February 26, 2020
It only takes one instance of human error for large amounts of sensitive data to be exposed.
The scale of this breach is not only hugely embarrassing for Decathlon but also very concerning for the employees and customers who have been put at risk. The exposed details include crucial personally identifiable information, such as social security numbers, full names and addresses, and offer cyber criminals with everything they need to launch a targeted attack. Besides the potential cyber secu ....
[Read More >>]
James McQuiggan, Security Awareness Advocate,  KnowBe4
February 26, 2020
This database was sitting in a location viewable from the internet, unsecured and unencrypted.
Employees responsible for protecting and using data need to have a robust security program in place to understand the systems where data is stored and monitor all access. This database was sitting in a location viewable from the internet, unsecured and unencrypted; dangerous practices that have certainly led to exposure of a large amount of sensitive data. To have data residing on internet faci ....
[Read More >>]
Chad Anderson, Research Engineer ,  DomainTools
February 26, 2020
Any database containing PII should never be left unencrypted and exposed without authentication.
For years Elastic — the maintainers of the open-source Elasticsearch — charged for basic customer-safety features like encryption at rest and authentication for databases. This led to a lot of companies using open Elasticsearch clusters without proper security so it is not surprising that there are thousands of these open Elasticsearch clusters out there exposing data. Now that Amazon has open ....
[Read More >>]
Hugo Van den Toorn, Manager, Offensive Security ,  Outpost24
February 26, 2020
With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations.
Unfortunately yet another Elastic Database that is open to the public, which has nothing to do with the product itself but purely with how the vendor has decided to set up their infrastructure and deploy their software. With the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations. As datasets grow to these sizes and contai ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article