B&Q Theft & Incident Log Data Exposed Online
B&Q said it has “closed the issue down” and is continuing to investigate how the data ended up exposed online.
DIY retail chain B&Q has reportedly taken down an exposed online database containing the details of suspected store thieves.
Last week, a cybersecurity researcher revealed details of the leak online. Lee Johnstone, chief executive of Ctrlbox Information Security, said the exposed records included more than 70,000 incident and offender logs.
While Johnstone acknowledged that the company had since removed the data from the web, he noted that B&Q’s reaction to the situation was slow and confusing.
On the Ctrlbox blog, Johnstone said that the first and last names of persons caught or suspected of stealing goods from B&Q branches were exposed. Additionally, descriptions of the individuals in question were also revealed, along with details pertaining to their vehicle make and other information related to incidents in stores.
One incident log, he revealed, described an even involving the theft of Nest thermostats.
“Offenders ran out of the fire exit with Nest thermostats,” the blog read. “The male on this occasion got away. There is no CCTV footage covering this area.”
The value of losses due to theft was revealed in the leak, Johnstone said, with details on product codes and stolen goods also available.
The Ctrlbox log also highlighted the storage methods employed by the retailer, which showed that data was stored on an “Elasticsearch server” – an open source search platform which required not user ID authentication to access.
A spokesperson for B&Q told the BBC: “We have closed the issue down and are continuing to investigate how it occurred.”
The firm also contested Johnstone’s claims, suggesting that the reported numbers were wrong and that there were a host of inaccuracies in the text.
“Our continuing investigation will help us decide whether an ICO notification is required,” it said.
Currently, there is no evidence to suggest that the database was accessed by an unauthorised party. However, Johnstone said that repeated efforts to alert the company had failed until the database was taken down on the 23rd of January.
Johnstone wrote: “CTRLBOX first started to look around the trade point website for a method to contact them and alert them, which was pretty easy, so on the 12th of Jan a notification email was sent off and contact was attempted also to the support account for B&Q who is the parents company of trade point.
“At first it seemed like I had hit success but then a day after it was still accessible…4 days after the first notification it was still open, clearly they had not got the message and it was becoming clear that B&Q was not going to act on this any time soon.”