StoreHub claims unprotected server didn’t leak personal data of over one million users (updated)


In its report, SafetyDetectives said it discovered the leak on Jan 12, estimating that it could have put over 1TB of data with 1.7 billion records and the personal information of over one million people at risk. — Shahadat Rahman/Unsplash

Updated with statement from StoreHub

PETALING JAYA: StoreHub denied that there was a data leak despite a server despite a misconfiguration in one of its Amazon Web Service (AWS) Elasticsearch servers that left data exposed.

The company – which provides point of sale (POS) software to over 15,000 businesses, including retail shops and restaurants – was responding to cybersecurity firm SafetyDetectives’ report that it left a server unprotected and potentially exposed the data of over a million customers.

StoreHub claimed it fixed the vulnerability within 24 hours of becoming aware of it.

"Upon being informed by AWS, the vulnerability was patched and resolved on the same day," the company said, adding that it was informed via email by AWS on Feb 3.

In its report, SafetyDetectives said it discovered the leak on Jan 12, estimating that it could have put over 1TB of data with 1.7 billion records and the personal information of over one million people at risk.

The personal data contained customers’ names, phone numbers and email addresses.

Other information, including payment-related – transaction dates, items ordered and store locations – may also have been leaked, the firm claimed.

However, StoreHub claimed that its internal investigation revealed that no data was downloaded maliciously during the period.

“The records also do not show any spikes in the volume of data transfer to external sources,” it said.

"No sensitive financial data or passwords were contained in the vulnerability. No tokens within the dataset can be used to login into a merchant account.”

SafetyDetectives claimed in its report that it had informed StoreHub of the leak on Jan 18 via email but didn’t receive a response.

It then contacted the Malaysia Computer Emergency Research Team (MyCert) and AWS about the leak on Jan 27. As of press time, MyCert has yet to respond to comments.

StoreHub said it understands the severity of the matter and the potential panic caused by this occurrence for its users.

"We would like to reassure our users that we take the security of their data very seriously and, as such, we will continually work to enhance our data security whilst addressing any and all possible concerns related to it.

"We take the security of our user data very seriously and are also working with an independent cybersecurity agency to verify and prevent future potential vulnerabilities," it said.

Article type: free
User access status:
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!
   

Next In Tech News

Chipmakers’ pandemic boom turns to bust as recession looms
Indonesia president wants Tesla to make EVs in country - Bloomberg News
Opinion: Think women ought to have abortion rights? Don’t talk about it on Facebook
Taiwan says it has not been informed of 'Chip 4' meeting
GM, LG Energy Solution considering Indiana for fourth U.S. battery plant
Opinion: How to tell your contacts you have a new email address
Australia to raise electric car supply in renewables push -report
Musk targets ad tech firms in Twitter suit over takeover deal
Qualcomm planning return to server market with new chip - Bloomberg News
Snap stops development of flying selfie drone Pixy - WSJ

Others Also Read