Bunnings Internal Employee Observations Database Exposed

Recently i did an article on b&q, a U.K based home hardware supplier and this week it seems that another major player in the home hardware supply’s game has also exposed a heap of data online, this time its over here in Australia and its Bunnings Group.

Bunnings in recent months has had a lot of media coverage with the sauce and sausage issue, however this issue is not about food its about information security and a staff portal for Bunnings managers to log Observations of other employees being exposed by bad development practices and lack of security on a HTTP server that ultimately ended up leaking a over 1,000 customers emails and source code for the observations portal.

index of files left on the developers system that exposed Bunnings data.

Looking in to the overall reputation of Bunnings from a employees perspective we see that over on glassdoor and indeed.com it shows that over all staff love Bunnings but there does seem to be a trend with a fair few making comments about the management, one that stood out was that the “management is to focused on finding what you did wrong rather than what you did right and rewarding you for good work”, though the observations shown to CTRLBOX show that the Bunnings management more often than not are leaving very good observations about the work staff members do.

management is to focused on finding what you did wrong rather than what you did right and rewarding you for good work. src: indeed.

The observations come from a MySQL database and contained all stores managers first and last names, login credentials for staff and developers, some of which are in plain text. A few other sites the developer is working on are the ‘Bunnings community portal’ and a ‘Bunnings application portal’.

community portal
application portal

Being a developer myself i understand just how easy it is to slip up this is why i will not be disclosing who the developer is as i do not want to destroy somebody’s name due to a simple mistake, however Bunnings and the developer both have a lot to learn from this however Bunnings has a great deal to learn, specially when contracting out development to have strict guidelines on data security, provide sample dummy data, provide secure servers and required domains/dns for staging and development if needed.

After reaching out and speaking to the Bunnings Managing director Michael Schneider, the problem got resolved with a matter of hours. Michael also explained why this incident happened saying that a Bunnings employee who was doing a good faith job by utilizing their web development skills, Bunnings has since started to rethink on the process of involving employees and others in the development of its internal systems.

Official statement from Bunnings Managing director Michael Schneider below.

On Wednesday (30 January 2019) we learned of an unsecure and unofficial website that contained some customer data  from one of our stores including names, email addresses, phone numbers  and physical addresses. The site also included  limited team member details such as names and internal ID numbers. No  banking or financial data was stored.

We took immediate action and the site was shut down within the day. We have notified the OAIC (Office of  Australian Information Commissioner) and have begun contacting affected  customers and team members.

The site contained the contact details of  1,194 customers and was created by a team member as an administration  tool and to assist in keeping local customers updated about activities  and events. This was a breach of our data policy  guidelines.  

We are sorry that this has happened and would like to reassure our team and customers that we take their privacy very seriously. We are reinforcing our data and privacy policies with our team to prevent something like this happening  again.  

Whilst those affected will be contacted directly, if customers or team members have any questions or concerns they can contact [email protected] or  call 1300 558 435.

Michael Schneider, Bunnings’ Managing Director

One thing to take away from this is no matter how big or small of a company you are, when a security incident happens get on to it right away and work along with those who reported it to you, Bunnings did this and got the problem resolved very fast.

About the author: Lee Johnstone