When Security Fails, 70,000 Offender and Incident Logs Exposed.

This is a story about a large UK based home and hardware store, who has a internal security notes and offender program and a elastic search.

Trade-point who operates under the B&Q brand is known as one of the bigger superstores in the united kingdom, they supply you with everything you need to build your home or do your gardening as well as everything in between, however that does not appear to stop people stealing items from the store which has resulted in them running their own internal program to note and track offenders and incidents from all stores. Now in 2019 such programs for large stores are not uncommon, however trade point has put a modern twist to this by indexing the data into a elastic search database that has no authentication at all.

Going back a few weeks now CTRLBOX's open data monitor system detected a elastic search that was of interest, within this data was a few thousand rows of security incidents that included the first and last name of individuals who had been caught or suspected of theft from the stores, along with product codes, total price of losses and GEOIP information for store locations.  Another table on the same database was used to track the incidents with a lot of them having very detailed descriptions of persons, vehicles and other incident related information.

One thing that became very clear when reading the security incidents, is that trade point staff care for security seems to vary between stores as well as the usage of decent CCTV systems and repeat offenders who appear to get away with thefts at the same store time and time again.

1 of many database entries starting the offender got away.

Once CTRLBOX had figured out attribution to trade point via the GEOIP data and types of goods, product codes it started to get hard from there. CTRLBOX first started to look around the trade point website for a method to contact them and alert them, which was pretty easy, so on the 12th of Jan a notification email was sent off and contact was attempted also to the support account for B&Q who is the parent company of trade point, at first it seemed like i had hit success but then a day after it was still accessible, another attempt to contact B&Q over twitter was made to make sure that the message had been sent off to the right people, which again i was told it was this time by a different support user.

4 days after the first notification it was still open, clearly they had not got the message and it was becoming clear that B&Q was not going to act on this any time soon, so another message was sent to support who once again assured me that the message had been sent to the right people.

A week later, 3 different support staff and still nothing had been done, with persons names and vehicle details related to possible crimes it was time to alert the ICO on this matter. After many failed attempts to get this closed CTRLBOX took to LinkedIN and messaged Christian Mazauric, who is the current General Director/CEO for B&Q.

bounced emails

Attempts to email Christian and also various other higher level staff who had emails listed in various public directory's failed with all emails bouncing back. Christian has viewed the message on LinkedIN however no response has been received.

On the 23rd of Jan the server finally went offline with the data no longer accessible. Its unknown if they have taken the server offline due to the notification sent out or if just by chance its been taken offline, either way its offline and its better that way.