Home improvement retailer B&Q has suffered a data breach affecting 70,000 of its… well, not customers, exactly.

The breached database contained a list of people who had been caught stealing products from B&Q stores. The document included the names of the offenders, the items they had stolen, the value of the goods and the stores they were taken from.

An extract of the database (via CtrlBox)

The database should have only been accessible to certain employees, but security specialists at CtrlBox found the database an ElasticSearch server, left publicly available and without password protection.

As the data contains alleged criminal records, it could be considered sensitive information under the GDPR (General Data Protection Regulation).

Just as significantly, CtrlBox reports that B&Q repeatedly failed to report the incident – or even take the database offline – once it had been notified of the breach.

‘Classic illustration’ of poor security practices

According to IT Governance Founder and Executive Chairman Alan Calder, the incident is “a classic illustration of the reality that the majority of security breaches go undiscovered for substantial time periods and are then often discovered by third parties.”

“In this case, not only were B&Q revealed as lacking in very basic cyber security practices (e.g. password access control), they also demonstrated that they do not have a robust incident response plan and they don’t have anything that looks like a resilient defence-in-depth approach to cyber security. For an organisation of their size, that’s pretty poor!”

Calder also outlined some of the ways in which the existence of the list itself is a potential GDPR violation. “How did it inform the data subjects that their data was being processed? What was the lawful basis on which it was processing the data in the first place? How does it demonstrate compliance with the six data processing principles?

“There’s nothing in GDPR that says those people suspected of criminal behaviour don’t have the same rights to the protection of their personal data as anyone else.”