Sporting Goods Retailer Decathlon Leaked 123 Million Records, Including Passwords

French sporting goods retail chain Decathlon has landed in hot water recently, as it came to light that it has leaked a whopping 123 million records of both customers and employees due to a misconfigured database.

Suffice it to say that Decathlon is a massive presence in the sporting goods world - it has a solid presence in 69 countries, employing over 90,000 globally, with over 1600 stores all across the world, from the United Kingdom to Bulgaria. The company is renowned for using inventory robots and in-store mobile checkout systems, showing admirable dedication to the practice of modernizing and keeping pace with the technological innovations of our time as much as it can.

Unfortunately, Decathlon doesn’t seem to have put nearly enough effort into online security, as a whopping 9GB database was discovered on an unsecured Elasticsearch server back on February 12. As reported by the IT security specialists that discovered the trove, the leaked database contained information from Decathlon’s Spanish and UK businesses - including customer email and log-in information, passwords, social security numbers, full names, addresses, birth dates, mobile phone numbers, employee usernames, and passwords, etc. - all in plaintext.

All the data was not encrypted or in any way protected in another fashion.

VpnMentor, the IT security specialists that discovered the leak, had this to say on the subject “The leaked Decathlon Spain database contains a veritable treasure trove of employee data and more. It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information”.

The data breach was discovered on February 12, and Decathlon was notified about it on February 16. The database was pulled on February 17 - but since the information had been accessible for quite some time, there’s no guarantee that malicious actors don't have access to it at the moment. In fact, as bad as that may be, the opposite is quite likely.

Decathlon has since come out with a reassuring statement, claiming that despite the sheer bulk of records contained in the database, only a small percentage of the information therein relates to actual customer profiles and the information contained therein. While this may be reassuring to some users, it does imply that it’s not their customer's security that Decathlon has compromosed through their negligence, but the security of their own staff.

“Employees’ positions and work locations are spread throughout this database, as well as their own physical home addresses.”

Suffice it to say that this is a very serious breach of privacy that can’t be downplayed easily.

Purportedly, the breach will be covered under GDPR and should already have been reported to the French data protection authorities. This exposes Decathlon to the possibility of being fined up to $512 million, based on its global revenues of $12.8 billion for 2018.

March 19, 2020

Leave a Reply