B&Q 'exposed Data About Store Thieves'

B&Q storeImage copyright Getty Images

B&Q says it has taken action after being told that it exposed details of suspected store thieves to the net without password protection.

The matter was brought to light by a security researcher last week.

He said the DIY chain had taken the data offline, but was unable to get a response from the company himself.

"We have closed the issue down and are continuing to investigate how it occurred," a B&Q spokeswoman told the BBC on Monday.

According to Lee Johnstone, chief executive of Ctrlbox Information Security, the exposed records included 70,000 offender and incident logs.

He blogged that these included:

  • the first and last names of individuals caught or suspected of stealing goods from stores
  • descriptions of the people involved, their vehicles and other incident-related information
  • the product codes of the goods involved
  • the value of the associated loss

One example of the details logged read: "Offender ran out of the fire exit with Nest thermostats. The male on this occasion got away. There is no CCTV footage covering this area."

Mr Johnstone wrote that the data was kept on an "Elasticsearch server" - an open source search engine technology that had not been set up to require user-ID authentication.

A spokeswoman for B&Q said that it believed the number reported in the blog was wrong and that there were a number of other inaccuracies in the text, but declined to say what they were.

"Our continuing investigation will help us decide whether an ICO [Information Commissioner's Office] notification is required," she added.

There are no reports that the database had been accessed by any other non-authorised party.

But Mr Johnstone wrote that he had sent several messages to the firm before the logs became unavailable on 23 January, which was 11 days after he had first emailed the business.

"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people's rights and freedoms," said a spokeswoman for the watchdog when asked about the incident.

"If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported if necessary."

RECENT NEWS

From Chip War To Cloud War: The Next Frontier In Global Tech Competition

The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more

The High Stakes Of Tech Regulation: Security Risks And Market Dynamics

The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more

The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics

Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more

The Data Crunch In AI: Strategies For Sustainability

Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more

Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser

After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more

LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue

In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more