An E-Commerce firm exposed billions worth of Personal Information

November 15, 2021
E-Commerce Firm Exposed Data Personal Information Brazil online shopping selling banking transaction

According to researchers, a Brazil-based e-commerce firm has accidentally exposed two billion worth of records, including seller’s and client’s confidential and personal information, after a wrong configuration in an Elasticsearch server. 

The researcher team who identified the misconfiguration discovered it last June of this year and quickly traced the leak back to a firm that allows vendors to manage and transport their activity across several marketplaces such as Amazon and Facebook. 

Even though the firm quickly responded to the researchers in just less than four days after they alerted it to the leak in the first week of July, the firm became unreachable to any mode of communication. A cybersecurity team is currently trying to verify if the issue has been fixed already or not.  

 

How did the data of got exposed by the E-commerce firm? 

According to the investigation, the e-commerce server has unattentively unencrypted with no password protection set. It consisted of over six hundred gigabytes of data, including clients’ full names, house and delivery addresses, phone numbers, billing details, and payment details. The seller’s information also primarily belonged to the exposed data’ full names, email addresses, home/business addresses, phone numbers, and tax identifications. 

The responsible investigators cannot confirm the total number of affected individuals since the size of the stockpile and the possibility of duplicate email addresses entry. 

Researchers also warned every concerned individual that this massive data breach could easily affect thousand to millions of Brazilian e-commerce users and shoppers. The company that leaked the server’s content could also affect its own business. 

They also pointed out that they cannot identify whether threat actors discovered the firm’s incompetency in their security. Couriers, consumers, users, and the company itself should know the risks they could encounter for this data breach blunder.  

 

What are the risks that they may encounter in the future?

The concerned party of this incident should prepare for numerous phishing attempts and fraudulent transactions. Identity theft, business details exploitation, and tax rebate can also be used to conduct several types of cybercrime. 

Hackers can conduct a possibility for extortion since they can exploit the shopper’s purchased items. An example of this is if a customer buys an embarrassing item, like a sexually related item, which can be used as data for extortion. 

Finally, a Brazilian data protection law allows regulators to fine companies a maximum of two percent of the past year’s revenue for this kind of infraction. 

About the author

Leave a Reply