B&Q has reportedly given up information on around 70,000 shoplifters on Elasticsearch, according to Australian security researcher Lee Johnstone.
The exposed data included the names of thieves, along with the product codes of the things they had attempted to steal, the total price of the losses, and location data for the stores. Also included were detailed descriptions of people and their vehicles.
According to Johnstone’s report, the instance was operated by TradePoint, the arm of B&Q that focuses on trade-only sales.
He said that it was operating an internal program to track incidents of theft across its stores, along with information about the offenders. The retailer stored all this information in an Elasticsearch database that was connected to the public internet, and without any form of authentication.
Initially there were no identifying information about the retailer involved and the security researchers discovered it was B&Q from the store geodata.
By his account, Johnstone made effort to contact Tradepoint and B&Q. He initially contacted them on January 12 2019, but in spite of assurances that they were looking into the matter, the Elasticsearch instance only became inaccessible on 23 January 2019.
The BBC has reported that B&Q refutes some of the details in the incident, questioning the numbers of records involved. It also claimed other inaccuracies without detailing what they were.
Under GDPR, a data breach must be reported to the regulator with full details on what happened, within 72 hours.