Skip to main content

Personal Data of 1.3 Million Shoppers Exposed by Walmart Partner

Personal Data of 1.3 Million Shoppers Exposed by Walmart Partner

According to cybersecurity firm Kromtech, who found it stored in a publicly accessible Amazon S3 bucket.

  • By Sydny Shepard
  • Mar 20, 2018

The personal data of over 1.3 million people across the United States and Canada were publicly exposed online by Walmart's jewelry partner, according to cybersecurity firm Kromtech, who found it stored in a publicly accessible Amazon S3 bucket.

Researchers first assumed the Amazon web server belonged to Walmart, since the storage bucket was named, "walmartsql." However, they later uncovered the databased actually belonged to a Chicago-based firm called MBM Company Inc., which primarily operates under the name Limogés Jewelry.

According to Kromtech, the database was left exposed online since Jan. 13 2018, and included names, addresses, zip codes, phone numbers, email addresses, and plaintext passwords for 1,314,193 people.

It also contained numerous records for retailers other than Walmart. Over the years, Limogés Jewelry has done business with retailers such as Amazon, Overstock, Sears, Kmart and Target, among others.

Kromtech researchers also found internal MBM mailing lists, payment details, promo codes, item orders, as well as encrypted credit card details. The records exposed dated as far back as 2000 and extended to early 2018. Researchers believe this may have been MBM Company's main customer database.

“In more than one case, the sensitive data has been exposed by a partner or third party. Organizations need to not only take steps to secure sensitive data in their possession, but also as it’s handed off to these partners," Tim Erlin, VP, product management and strategy at cybersecurity firm Tripwire said. "Protecting customer data from this type of exposure doesn’t require amazing new security tools. Ensuring that systems are secure when deployed and monitoring them for changes is part of doing the basics right. Those security basics apply as much to the cloud as the data center.”  

Fortunately, shortly after the exposed data was found the publicly accessible database was "quietly" secured by Walmart. Kromtech found no evidence of ransom notes, but that doesn't mean no one accessed the data.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

Most   Popular

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.