"Retailer Database Error Leaks Over One Million Customer Records"

According to WebsitePlanet, a database configuration error at a popular automotive retailer led to the exposure of 1TB of records, including customers’ personal information.  Security researcher Jeremiah Fowler reported the incident to the web-builder site, having traced the records to Philadelphia-based business SimpleTire.  The online tire retailer claims to have a network of over 10,000 installers and over 3000 independent supply points.  The researcher noted that although he sent “multiple email notices” to SimpleTire to responsibly disclose his findings, Fowler claimed the non-password protected database was publicly accessible to anyone with an internet connection for over three weeks before finally being locked down.  It is unclear how long the database had been publicly exposed before Fowler’s discovery.  The SimpleTire database contained over 2.8 million records, including nearly 1.2 million order confirmation PDFs that featured personally identifiable information (PII), such as customer names, phone numbers, and billing addresses.  Also contained on the order records were partial credit card numbers and expiry dates.  Details of orders, including authorized installers, receipt numbers, product information, and payment amounts, were also clearly visible.  The researcher warned of the risk of follow-on social engineering attacks if hackers had managed to access the exposed database.

Infosecurity reports: "Retailer Database Error Leaks Over One Million Customer Records"