Mass Leak of Drone Buyers Data
Drone dealership exposes more than 10,000 online shoppers’ payment details due to its non-existent cyber security measures.
Online drone vendor, DronesForLess.co.uk failed to encrypt or protect its customers’ sensitive data by leaving its web servers completely exposed to curious browsers. The company had been saving its customers’ online purchase receipts and payment details to its web servers, which its operators had not bothered to protect with even a basic cybersecurity measure such as password protection.
The easily available data included; names, addresses, phone numbers, email addresses, IP addresses, devices used to connect to the site, details of ordered items, the card issuer and the last four digits of their credit and debit cards used to pay for their order. The leak revealed details from between October 2015 to March 31st, 2018, all of which had been indexed by Google.
According to Alan Turnbull, who spotted the highly negligent oversight, the dataset comprised plain text JSON strings of SellerCloud API transactions and was viewable via a simple Google search. More worryingly the leak exposed the purchase history and details of police, military and government personnel who had bought goods, which they had shipped their respective work HQs. However, it remains unclear if these purchases were for personal or work use.
The Client List
• A member of the Ministry of Defence’s procurement division who bought a DJI Inspire 2, complete with spare battery and accidental damage insurance.
• A serving Metropolitan Police officer, had a DJI Phantom 3 quadcopter delivered to the force’s Empress State Building HQ in London, and made with a non-police email address composed of his unit’s very distinctive abbreviation.
• A member of the National Crime Agency, who appeared to have used his ***@nca.x.gsi.gov.uk secure email address to buy a Nikon Coolpix digital camera.
• A British Army Reserve major who had an £1,100 drone posted to his unit’s HQ
Turnbull further revealed that the executives from PowerPhotoCorp.com, Fumfie.com and SLRHut.co.uk, well-known online photography, drone and consumer electronics shops had made early test purchases in 2015 and 2016.
Responses to the Leak
Infosec researcher Scott Helme told The Register: “From a technical perspective having this kind of information in a publicly accessible directory is incredibly negligent. This information should be stored in a database and most certainly should not be available to the internet and stored in plain text!”
“At a minimum the company involved need to contact all of the affected customers and inform them what data has been leaked so that they can take whatever steps they deem necessary, even if that’s just so they can be vigilant for potential phishing emails. I hope that the ICO will also take action against the company for such a negligent leak of personal.”
A spokeswoman for the British Government sent a statement to The Register saying: “We treat the security of our information very seriously. We have asked the company involved to remove any public record of this data and to let all those affected know.”