Whole Foods customer records among 82M exposed due to vulnerable database
In early July, security researcher Jeremiah Fowler, in partnership with the CoolTechZone research team, discovered a non-password-protected database that contained more than 82 million records.
The records had information that referenced multiple companies, including Whole Foods Market (owned by Amazon) and Skaggs Public Safety Uniforms, a company that sells uniforms for police, fire, and medical customers all over the United States.
The logging records exposed numerous customer order records, names, physical addresses, emails, partial credit card numbers, and more. These records were marked as “Production.”
Overall, the size of the leaked data is approximately 9.57GB. The total number of records when first discovered (between April 25 and July 11) was 28,035,225. After the notice was sent (between April 25 and July 30), the total number of records rose to 82,099,847.
What do logging records tell us?
There were millions of logging records that did not have any specific order, so it is hard to fully understand just how many individuals were affected.
The Whole Foods records identified internal user IDs of their procurement system, IP addresses, and what appear to be authorization logs or successful login records from an activity monitoring system.
Other logs had references to Smith System, a school furniture manufacturer, and Chalk Mountain Services, a trucking leader in the oilfield services industry.
The majority of the payment and credit records appeared to be connected to Skaggs Public Safety Uniforms. They operate multiple locations and have offices in Colorado, Utah, and Arizona. CoolTechZone ran several queries for words such as “police” and “fire” and could see multiple agencies as well as their orders, notes, and customization requests.
Logging can identify important security information about a network. The most important thing about monitoring and logging is to understand that they can inadvertently expose sensitive information or records in the process.
Reviewing logs regularly is an important security step that should not be overlooked, but often is. These reviews could help identify malicious attacks on your system or unauthorized access.
Unfortunately, because of the massive amount of log data generated by systems, it is often not logical to manually review these logs, and they get ignored. It is vital to ensure that records are not kept for longer than is needed, sensitive data is not stored in plain text, and public access is restricted to any storage repositories.
How is this dangerous for users?
The real risk to customers is that criminals would have insider information that could be used to socially engineer their victims.
As an example, there would be enough information to call or email and say, “I see you just purchased our product recently, and I need to verify your payment information for the card ending in 123.” The unsuspecting customer would have no reason to doubt the verification because the criminal would already have enough information to establish trust and credibility.
Or, using a “Man in the Middle” approach, the criminal could provide invoices to partners or customers with different payment information so that the funds would be sent to the criminal and not the intended company.
Internal records can also show where data is stored, what versions of middleware are being used, and other important information about the configuration of the network.
This could identify critical vulnerabilities that could potentially allow for a secondary path into the network. Middleware is considered “software glue” and serves as a bridge between two applications. Middleware can also introduce added security risks.
Using any third party application, service, or software creates a scenario where your data may be out of your control. As is commonly said, “data is the new oil,” and it is extremely valuable.
Often, when there is a data exposure, it happens because of human error and misconfiguration, not malicious intent. CoolTechZone would highly recommend changing all administrative credentials in the event of any data exposure to be on the safe side.
It is unclear exactly how long the database was exposed and who else may have gained access to the publicly accessible records. Only a thorough cyber forensic audit would identify if the dataset was accessed by other individuals or what activity was conducted.
It is also unclear if clients, customers, or authorities were notified of the potential exposure.
This story originally appeared on Cooltechzone.com. Copyright 2021
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more
Source: Read Full Article