Research experts at a product suggestion service, Safety Detectives, disclose that a Malaysian point-of-sale software provider, StoreHub’s Elasticsearch server had almost a million client records wide open.
According to the Safety Detectives’ report, a StoreHub server was discovered that kept unencrypted data and was not password secured. Researchers from the security firm could walk in and gain access to 1.7 billion records chronicling the affairs of almost a million people in a cache that spanned more than a terabyte.
StoreHub’s products include point-of-sale and online ordering, and the vendor therefore keeps track of the companies that use its product as well as the activity of individual buyers. According to Safety Detectives, full names, phone numbers, email addresses, physical addresses, and even device kinds were among the data revealed.
Customers’ orders, as well as the locations from where they ordered and when they ordered, were all visible to the rest of the world. Safety Detectives claim that order data contained “partially masked credit card information.” Staff information from StoreHub users was also made public. Access tokens, which may allow criminals to change users’ StoreHub-powered sites, were also exposed.
The post from Safety Detectives says that the unprotected server was discovered on January 12th and reported immediately, followed up on, but StoreHub did not reply. On January 27th, the security firm contacted StoreHub’s host, Amazon Web Services (AWS), and Malaysia’s Computer Emergency Response Team (CERT). By February 2nd, the server had been secured. StoreHub’s answer to The Register contradicts Safety Detectives’ timetable, claiming that it was notified on February 3rd, but does not deny the presence of the unprotected server.
“Upon being informed of the occurrence on an Amazon Web Services (AWS) Elasticsearch instance, StoreHub took immediate action to patch and rectify the vulnerability within 24 hours.” The company also canceled tokens in the dataset. It also conducted an evaluation revealing ”that no sensitive financial data or passwords were contained in the vulnerability.” The statement does not mention whether the accessible data was accessed.
StoreHub has hired a security firm to “verify and prevent future potential vulnerabilities” and has promised to do a better job in the future. According to Safety Detectives, the root of the problem is a “misconfigured” server.
On the other hand, Malaysian legislation may be harsher, as it imposes significant fines for failure to comply with data protection requirements. StoreHub may also face problems outside of its own country, as it operates in other South-East Asian countries.