With so much data, hackers could easily create phishing campaigns. In question: a bad configuration of the S3 bucket, an Amazon Web Services server, by a partner of the group.
VPNmentor just released its new massive data exposure survey. According to the cybersecurity agency, a personal database concerning 8% of Decathlon’s workforce (7,883 employees) was exposed for several months. The improper configuration of an AWS 3 Bucket would cause this flaw. An incident that obviously recalls the security breach of 2020 which exposed 123 million customer data.
Should the Decathlon group expect to suffer cyber attacks?
In its investigation, VPNmentor shows that the nature of the data exposed is varied. These include names, first names, e-mail addresses, countries or city of residence, as well as photos. The consulting company Bluenove also carried out an internal survey on behalf of Deacathlon called “Vision 2030”. Bluenove researchers specify that: “the photos exhibited are illustrative photos of the platform, but in no case personal photos of the employees. As for the” city “or the” country “, they linked the data to the locations of Decathlon stores and not to the personal information of the persons concerned”.
So much exposed data could allow hackers to set up effective phishing campaigns by impersonating Decathlon, by email or even by phone. Many employees could then reveal important information, give out their passwords or click on inappropriate links containing malware. In its investigation, VPNmentor could not determine the exact exposure time of the data, but the researchers estimate that the breach took place between March and November 2020 … a period long enough for malicious people to have could grab it.
Could the flaw have been avoided?
A Decathlon spokesperson answered questions from the Computer World. He explains: “A Decathlon data storage space, belonging to one of its service providers, and managed by it has been exposed on the internet. No data has been disclosed or used by third parties. No banking data or password was not affected. Decathlon, kept informed on April 12, 2021, immediately took the measures to put an end to this exposure”. According to the sign, the impact analysis carried out internally did not reveal any risks for the employees concerned.
For VPNmentor, such exposure could certainly have been avoided. In particular, it would be possible to make the bucket private by adding authentication protocols. The cybersecurity researchers add that: “It is also possible to add more layers of protection to S3 compartments to further restrict who can access them from each entry point,” Bluenove claims, however, that all buckets are encrypted. A spokesperson for the company spoke:“We clearly deplore this exposure of data. Even if it is non-critical data, as a technological company, we must implement every means daily so that the data of our consultations is protected” .