A report claims that this Malaysian software company exposed the data of over a million people

SafetyDetectives, an online website of cybersecurity and privacy researchers, has published a new report which claims that a Malaysian software company dealing with point-of-sale (POS) systems may have inadvertently exposed the data of more than a million customers and compromised the information of thousands of restaurants and businesses and their employees.

The Malaysian company in question is StoreHub. Based in Mutiara Damansara, StoreHub claims to be one of the fastest growing companies in the region, with over 15,000 businesses across Southeast Asia using their services. One of their main products appears to be a POS system that they’ve “built for modern restaurants, cafes, fast food kiosks, and retail stores.” They also offer business management tools and analytics.

According to SafetyDetectives, StoreHub had failed to correctly configure one of its servers. This leaked over 1.7 billion records and over a terabyte of data, potentially exposing the details of up to a million customers in Malaysia and possibly other countries as well. other countries in the region. The data leak in question appears to come from two main sources: customer data from companies using StoreHub and data from companies using StoreHub themselves.

For the first, SafetyDetectives says the leaked data contains personally identifiable information about customers such as their full names, phone numbers, physical addresses, email addresses and the type of device used. Some of the order details in the data leak also contained partially obscured credit card information, along with other order information such as transaction dates, items ordered, store locations, and more.

As for the latter, the leaked data from companies using StoreHub apparently contains the names of employees, the check-in and check-out times of their employees, the name and address of the store as well as their email addresses. SafetyDetectives also added that they have seen leaked access tokens that can be used by bad actors to log into affected companies’ websites to cause more harm.

SafetyDetectives notes that although they discovered this data breach on January 12 this year, the server in question appears to have been exposed at least since late November last year. They then contacted StoreHub, but received no response. SafetyDetectives then tried to contact Amazon Web Services (AWS) and the Malaysian Computer Emergency Response Team (MyCERT), who responded. MyCERT had requested more information on February 2, but by then the server had been secured again.

StoreHub however came out and denied the data leak allegations. According to The Star, StoreHub was notified by AWS of the issue on February 3, and they later fixed the issue the same day. StoreHub also mentioned that following an internal investigation, no data was maliciously downloaded from the server when left exposed, and no financial data or sensitive passwords were kept in vulnerable data.

[ UPDATED 2.10PM, 16/6/2022 ]: StoreHub has since contacted us to provide a full statement regarding the issue which you can find below:

“On February 3, 2022, StoreHub was notified of an instance of a user data vulnerability that may impact its users.

Upon being notified of the occurrence on an Amazon Web Services (AWS) Elasticsearch instance, StoreHub took immediate action to patch and remediate the vulnerability within 24 hours.

The decisive action ensured that no sensitive or private data was maliciously uploaded by parties and the finding was confirmed by a thorough internal investigation into the incident. The investigation also revealed that no financial data or sensitive passwords were contained in the vulnerability.

As an added precaution, StoreHub has ensured that no tokens from the dataset can be used to log into a merchant’s account. StoreHub understands the seriousness of the issue and the potential panic caused by this event to our users.

We would like to reassure our users that we take the security of their data very seriously and, as such, we will work continuously to improve the security of our data while addressing any possible concerns related to it.

To this end, StoreHub is working with an independent cybersecurity agency to verify and prevent potential future vulnerabilities. The team will continue to work diligently and closely with its internal teams and external experts to ensure the comprehensive and thorough protection of StoreHub user data while providing comprehensive and integrated technology-driven services,” – StoreHub


Source link

Comments are closed.