Office Depot Configuration Error Exposes One Million Records

A misconfigured Elasticsearch server belonging to a popular office supplies store chain was found leaking nearly one million records including customers’ personal information, it has emerged.

The non-password protected database was discovered by a Website Planet team led by Jeremiah Fowler on March 3. They quickly traced it back to Office Depot Europe, which operates across the region with bricks-and-mortar stores and online under the Office Depot and Viking brands.

Among the 974,000 unencrypted records found in the database were customer names, phone numbers, home and office addresses, @members.ebay addresses, marketplace logs, order histories and hashed passwords.

Fowler warned that such data could have been used by cyber-criminals to perform convincing phishing attacks.

“Let’s hypothetically say a criminal calls the customer and they validate the recent order. Next the criminal says something is wrong with your billing information, can you please provide me with the credit card number used for your purchase?” he explained.

“The customer would have no reason to doubt this because the caller can validate real details that only the retailer would know. This is how a social engineering attack works and it is one of the most common forms of fraud used today.”

Although Office Depot Europe secured the database within hours of notification, thanking the researchers for bringing it to their attention, Fowler claimed it may have been exposed for up to 10 days.

This would have put it at risk not only from data-hunting fraudsters but automated ransomware scripts and other tools which scour the internet for misconfigured databases like this.

Alongside the customer information was data on middleware, IP addresses, ports, pathways and storage systems used by the organization which Fowler said could have been exploited to target the Office Depot corporate network.

Are you Citizen-Journalist Material?

Have a tip or scoop? Do you have info about corruption that needs to be investigated and responsibly exposed ? Get in touch securely via WhatsApp at +44 7771 927378 | Signal at +447766 098270

Receive Exclusives, Features & News Updates


What Are
Cyber™ Risks?

What Is Geo-Poli-Cyber™?

MLi Group created the terms Poli-Cyber™ and Geo-Poli-Cyber™ (GPC™) in 2012 and 2013 based on the philosophy that if you cannot identify and name the threat, you cannot mitigate that threat.

Geo-Poli-Cyber™ attacks are political, ideological, terrorist, extremist, ‘religious’, and/or geo-politically motivated.

More Sinister Than Financial Motivations

Geo-Poli-Cyber™ attacks are significantly different from financially motivated cyber-attacks in damage, scale, magnitude as well as in risk mitigation strategies and solutions.

Click to read more