Chinese e-commerce giant Gearbest has exposed information and orders of millions of its customers through an unsecured Elasticsearch server, security researcher Noam Rotem and his team have found.

What kind of data was exposed?

According to Rotem, the server was not protected with a password and anyone could access it and search the data.

Also, despite assurances from the company that sensitive data is encrypted, most of the contents of the database were decidedly not.

This includes:

Customers’ name; address; date of birth; phone number; email address; IP address; national ID and passport information; account passwords

Payment data: order number; payment type; payment information; email address; name; IP address

Order data: products purchased; shipping address and postcode; customer name; email address; phone number.

Possible repercussions

“Gearbest’s data leak of over 1.5 million customer records adds to a growing list of organizations that have suffered security lapses in 2019 due to misconfigured Elasticsearch servers. However, Gearbest’s incident stands out since passport numbers, national ID numbers and full sets of unencrypted data, including email addresses and passwords were among the exposed information. This data could allow hackers to easily steal Gearbest’s customers’ identities by cross-referencing with other databases, and allow malicious actors access to online government portals, banking apps, health insurance records, and more,” Brian Johnson, CEO and co-founder of DivvyCloud, pointed out.

“Organizations like Gearbest must learn to be diligent in ensuring data is protected with proper security controls. Automated cloud security solutions would have been able to detect the misconfiguration in the Elasticsearch database and could either alert the appropriate personnel to correct the issue, or trigger an automated remediation in real-time. These solutions are essential to enforcing security policies and maintaining compliance across large-scale hybrid cloud infrastructure.”

The leaked data could also endanger some users in other ways, Rotem and his team pointed out.

“The exact content of people’s orders is visible on the Orders database. Compared to other information available across these unprotected databases, this doesn’t seem particularly shocking. However, the content of some people’s orders has proven very revealing – and in some instances, even life-threatening,” they noted.

“Hidden in the ‘Sales’ section of Gearbest’s ‘Apparel’ category, users can find a vast array of sex toys. The nature of the store’s open database means the details of your private purchases could quickly become public knowledge.”

For many people across the world, purchasing sex toys is not problematic, but for some, who live in countries with prohibitive laws regarding sexuality and homosexuality, this information could lead to a death sentence for users.

Terry Ray, SVP and Imperva Fellow, says that too often, private information is collected, yet the collecting organization doesn’t monitor who has access to the data, when the data is viewed, or whether the data has been stolen.

“The problem of misconfiguration is generally more common at large companies than smaller ones, where everyone can look at everything. The bigger the company, the harder it is to maintain process,” he noted.

“What we’ve seen — and continue to see — is companies are accelerating their use of technologies more than they’re enabling their teams or hiring effective people, and that will be the downfall of utilizing servers like Elasticsearch. The data exposure highlights how modern data repositories have created a fundamental conflict in businesses. The use of modern data repositories can often provide cost savings, business intelligence, information sharing and increased technology scale, yet they also introduce complexities and requirements which often requires advanced enablement of technical staff before their use. It is yet another area in which technology and business needs are outpacing the expertise of technical staff, and this discrepancy is leading to simple security mistakes that simply shouldn’t happen.”

Ben Goodman, VP of global strategy and innovation at ForgeRock, expects the leaked data to quickly make its way to the dark web where it will be used for identity theft, synthetic identity creation and robotic account takeovers.

“Now, more than ever, organizations must use modern behavioral analytics, Know Your Customer and identity proofing tools during account originations and during email and password reset to fight against these well-armed fraudsters,” he added.

Gearbest is owned by Shenzhen-based conglomerate Globalegrow and sells a wide variety of products and ships them all over the world. It has a considerable European presence (including warehouses) and this leak could result in hefty fines if European data protection authorities find the company has fallen afoul of the GDPR.