In its report, SafetyDetectives said it discovered the leak on Jan 12, estimating that it could have put over 1TB of data with 1.7 billion records and the personal information of over one million people at risk. — Shahadat Rahman/Unsplash
Updated with statement from StoreHub
PETALING JAYA: StoreHub denied that there was a data leak despite a server despite a misconfiguration in one of its Amazon Web Service (AWS) Elasticsearch servers that left data exposed.
The company – which provides point of sale (POS) software to over 15,000 businesses, including retail shops and restaurants – was responding to cybersecurity firm SafetyDetectives’ report that it left a server unprotected and potentially exposed the data of over a million customers.
StoreHub claimed it fixed the vulnerability within 24 hours of becoming aware of it.
"Upon being informed by AWS, the vulnerability was patched and resolved on the same day," the company said, adding that it was informed via email by AWS on Feb 3.
In its report, SafetyDetectives said it discovered the leak on Jan 12, estimating that it could have put over 1TB of data with 1.7 billion records and the personal information of over one million people at risk.
The personal data contained customers’ names, phone numbers and email addresses.
Other information, including payment-related – transaction dates, items ordered and store locations – may also have been leaked, the firm claimed.
However, StoreHub claimed that its internal investigation revealed that no data was downloaded maliciously during the period.
“The records also do not show any spikes in the volume of data transfer to external sources,” it said.
"No sensitive financial data or passwords were contained in the vulnerability. No tokens within the dataset can be used to login into a merchant account.”
SafetyDetectives claimed in its report that it had informed StoreHub of the leak on Jan 18 via email but didn’t receive a response.
It then contacted the Malaysia Computer Emergency Research Team (MyCert) and AWS about the leak on Jan 27. As of press time, MyCert has yet to respond to comments.
StoreHub said it understands the severity of the matter and the potential panic caused by this occurrence for its users.
"We would like to reassure our users that we take the security of their data very seriously and, as such, we will continually work to enhance our data security whilst addressing any and all possible concerns related to it.
"We take the security of our user data very seriously and are also working with an independent cybersecurity agency to verify and prevent future potential vulnerabilities," it said.
