Sports retailer Decathlon spills 123 million records, including unencrypted employee passwords

Improperly secured AWS ElasticSearch database contained ‘treasure trove’ of employee data, which may include UK staff

Decathlon, the high-end sports retailer with stores in 49 countries around the world, has suffered a data breach spilling a total of 123 million records - including completely unencrypted passwords.

The breach was discovered on 12 February, with the company notified four days later. The discovery is yet another find by Noam Rotem and Ran Locar at VPNmentor, with the data being hosted on an improperly secured Amazon Web Services (AWS) ElasticSearch database.

French company Decathlon, the world's biggest sports retail chain with 1,511 outlets, has 44 retail stores across the UK.

It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information

"Sometimes the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what's at stake or who's leaking the data," wrote Rotem and Locar in a blog posting revealing the find, and explaining why it can take days between discovery and notification.

They continued: "Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness. Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and true."

According to the researchers, the improperly secured database contained "a veritable treasure trove of employee data and more", adding: "It has everything that a malicious hacker would, in theory, need to use to take over accounts and gain access to private and even proprietary information".

Decathlon could have easily avoided this leak if they had taken some basic security measures

In addition to unencrypted passwords, the data included user names, full addresses, social security numbers, dates of birth, email address, qualifications - pretty much everything required to perform identity theft. The trove even included unencrypted logins for administrators. According to Rotem and Locar, the database appears to belong to Decathlon Spain, but UK information may have been included in the database as well.

They added: "Decathlon could have easily avoided this leak if they had taken some basic security measures to protect the database. These include, but are not limited to:

• Secure your servers.
• Implement proper access rules.
• Never leave a system that doesn't require authentication open to the internet."

The breach will be covered under GDPR and should have been reported to French data protection authorities, with the company in the running to be hit with a fine of up to $512 million, based on 2018 global revenues of $12.8 billion.

VPNmentor reviews VPN services. On the side, Rotem and Locar run a web-mapping project that involves port scanning to examine particular IP blocks and test open holes in systems for weaknesses.

In the past, the researchers have also highlighted a ticket fraud scheme targeting Groupon, Ticketmaster and several other ticket vendors, as well as an unsecured database of 16.6 million Ecuadorian citizens, and a security breach of unknown provenance exposing the data of 80 million households in the US.

Do you work for Decathlon? Have you experienced an identify theft? Contact Computing with your story.