CYBERSECURITY expert SafetyDetectives has claimed that its team has discovered a major data leak affecting Malaysia-based point of sale (POS) software system provider StoreHub which is mostly used in restaurants and retail stores.
The exposed data was stored on a StoreHub’s Elasticsearch server that was left open without any password-protection or encryption, according to SafetyDetectives which reputed itself to be a publishing group of cybersecurity experts, privacy researchers and technical product reviewers located all over the world.
“The unprotected server potentially compromised the information of thousands of restaurants and retail stores, along with their staff and roughly (that of) 1 million customers,” it said in a report to FocusM.
According to SafetyDetectives, its cybersecurity team discovered that Storehub had misconfigured one of its Elasticsearch server, causing it to leak over 1.7 billion records and over 1 terabyte of data.
This exposed almost one million customers in Malaysia and potentially across Southeast Asian countries.
Founded in 2013, the Petaling Jaya-based StoreHub claimed that its software products are used by over 15,000 businesses, primarily in the Southeast Asia region. The company sells POS software primarily to food and beverages (F&B) businesses such as restaurants and retail stores.
“Our cybersecurity team discovered this leak on Jan 12 (this year). The server content seems to have been exposed since at least late November 2021,” revealed SafetyDetectives. “Upon finding the leak, our cybersecurity team followed the rules of ethical hacking by leaving the server and data untouched, then contacting the responsible company.”
Its cybersecurity team has also e-mailed StoreHub as soon as it discovered the leak, according to SafetyDetectives.
“On Jan 18, we sent a follow up e-mail to them and we sent an e-mail to StoreHub’s chief technology officer. We received no response by Jan 27 so we contacted MyCERT (Malaysia Computer Emergency Response Team) and Amazon Web Services (the hosting company). Both responded promptly,” noted the cybersecurity expert.
“We were able to disclose the leak to MyCERT on Jan 28. The MyCERT asked us for more information on Feb 2 but the server was secured by then. We estimate the server was secured between that period from Jan 28 and Feb 2.”
As StoreHub sells its POS software to customer-facing businesses, SafetyDetectives said the exposed data comes in two categories, namely (i) data from customers of businesses using StoreHub; and (ii) data from businesses using StoreHub.
Exposed personally identifiable information (PII) from customers includes full names, phone numbers, physical addresses, e-mail addresses and type of device used while the exposed data related to payments and order information include transaction dates, ordered items and store locations.
Meanwhile, leaked information from the businesses include check-in/check-out times from employees, employee names, store names, store physical addresses and store e-mail addresses. – June 16, 2022
