- Just under a million European customer records of Office Depot were leaked online.
- The firm failed to properly secure a production server that exposed its network too.
- It is likely that a hacker had already found a way into the corporate network before the discovery of the database.
The latest Elasticsearch database tumble comes from Office Depot Europe, who, according to a report shared by researcher Jeremiah Fowler, failed to protect a “live” production server. The researcher and his team found the accessible data on March 3, 2021, and immediately sent a disclosure notice to Office Depot.
The firm secured it within hours, and two days later, they thanked the reporters. Although the response was quick, the data may have stayed online and accessible by anyone for long enough to be exfiltrated by malicious actors.
In total, Fowler was able to access 974,050 records which included the following types of data:
- Names
- Phone numbers
- Physical addresses (home and/or office)
- @members.ebay addresses
- Hashed passwords
- SSH Login information
- Dashboard and user group logs
- Hostnames, IP addresses, and pathways
- Middleware details
All in all, the data exposed both Office Depot customers and also the firm itself to the dangers of hacking and corporate network compromise. Unfortunately, most of the customer-exposing records were in plain text form, apart only from the passwords maybe.
As Fowler explained in his message to TechNadu, Office Depot made a peculiar announcement about a week prior to discovering the data, mentioning a malware infection that would cost them €20 million. This is matching the maximum amount of GDPR fines, so it’s possible that the firm was already dealing with an intruder who found his way in thanks to key details that were left exposed on the unprotected database.
The PII data contained in the exposed set has several references to German citizens, and so an investigation launched by the German data protection officer should be considered a given now. Also, if Office Depot failed to inform the authorities within 72 hours after the discovery of the data breach, as obliged by the regulation, additional fines may be imposed.
If you are a customer of Office Depot, you should first contact the firm and ask for details about the breach and how it affects you. Additionally, since phone numbers are included in the leak, you should be aware of the possibility of smishing - and generally tricky calls from scammers. The physical addresses also make post phishing likely, even though that’s seldom something that crooks bother with.