Exploit: Unsecured Database
BrandBQ – Fashion Retailer
Risk to Small Business: 1.667 = Severe
An unsecured Elasticsearch database spelled trouble for Krakow-based fashion retailer BrandBQ. Security researchers uncovered the unencrypted Elasticsearch server on June 28 and BrandBQ finally secured it around a month later, but not before records for millions of clients were exposed. Observers reported one billion entries in the exposed database including 6.7 million records related to online customers, with each entry featuring personally identifiable information (PII) including full names, email and home addresses, dates of birth, phone numbers, and payment records (although not card details). Also available on the server were 50,000 records relating to local contractors in certain jurisdictions including VAT numbers and purchase information
Individual Risk: 2.863 = Severe
Information contained in this database sat unguarded and available to cybercriminals for at least a month. Clients of BrandBQ or any of its retail stores including online stores and operations in Poland, Romania, Hungary, Bulgaria, Slovakia, Ukraine, and the Czech Republic should be wary of spear phishing attempts using this data.
Customers Impacted: 7,000,000
How it Could Affect Your Customers’ Business: An exposed database of this magnitude is shocking, and it definitely indicates that your company isn’t following cybersecurity best practices like securing sensitive customer data with multifactor authentication.