The target: BrandBQ, a European fashion retailer.
The take: 7 million customer records of personally identifiable information including: full names, email addresses, home addresses, date of birth, phone number, and payment records.
The attack vector: The data was exposed on an unencrypted and unsecured Elasticsearch server meaning anyone with an internet connection could have found the information and downloaded a copy. Along with customer information, an additional 50,000 records of relating to contractors who worked with BrandBQ were also stored on the server, exposing their purchase information and correspondence. Further mixed in were API logs relating to their mobile app, greatly increasing the range of possible exposure to over 500,000 affected users.
Credential management and proper security around storage of data is critical for every business. In this case, the mixing of data all kept in one place compounded the severity of the breach as not only were BrandBQ’s customers made into vulnerable phishing targets, but their contractors are now also extremely susceptible to Business Email Compromise scams.