VPNmentor revealed that Decathlon Employee Data had been exposed in a public forum.
In a blog publication, VPNmentor has detailed a cybersecurity incident involving the unauthorized disclosure of compromised Decathlon employee data on the internet by an unidentified hacker. According to VPNmentor findings, the data leak and publication occurred on September 7, 2023.
The compromised data was identified to be a file sized 61-MB database, containing personally identifiable information (PII) belonging to thousands of Decathlon employees. This PII included employee full names, usernames, phone numbers, email addresses, countries and cities of residence, photographs, and authentication tokens.
Upon the discovery of this exposed information on the web, VPNmentor promptly initiated contact with both Bluenove and Decathlon to report the security breach.
In a correspondence, the organizations acknowledged that copies of the compromised database were circulating on darknet forums. Showing consideration to assist, VPNmentor offered recommendations for proactive measures to contain and mitigate the incident to the organization, with the aim of preventing further exploitation.
Analysis of the available data and charts indicates that a total of 7,883 users were impacted by this security breach.
VPNmentor in an article described that:
“Upon closer inspection, of the data posted on forums, our research team found that the stolen information appeared to match the decathlon employee data leak, that VPNmentor team previously found and reported in 2021.”
To further prove the authenticity of their findings, VPNmentor emphasized saying:
“while we no longer have the data samples from the original leak incident due to our retention policy, our report from before shows that the data shared in the sample posted by the hacker is consistent with the data we found two years prior. This confirms that the recently shared database is authentic.”
Comprehensively analysing the reports indicates that Bluenove, a tech and consulting company specializing in “massive collective intelligence,” partnered with Decathlon for the Vision 2030 campaign, gathering data from employees and customers via a survey.
This data was inadvertently exposed due to a misconfigured Amazon Web Services (AWS) S3 bucket. VPNmentor discovered the leak on March 9, 2021, reported it to Bluenove and AWS, and it was fixed on April 13, 2021. However, it is possible that at least an attacker obtained the data before the leak was secured. Decathlon was not responsible for data security, and the breach was not due to any negligence on their part.
The compromised employee information can be utilized to simulate phishing campaigns by threat actors, who have access to these data and extract more sensitive information’s while masquerading as an employee of the organization.
VPNmentor advised Decathlon employees who suspect potential compromise between March and November 2020 to promptly engage with the organization’s security team for proactive steps to take.
Furthermore they were advised to review their online financial accounts, check for suspicious activity, and unusual login or access requests.
VPNmentor has provided additional cybersecurity recommendations, which encompass the need for organizations to establish robust access control policies, conduct cybersecurity education and awareness initiatives, communicate transparent privacy and disclosure policies to stakeholders, maintain and update third-party security solutions, and develop and test incident response plans for effectiveness. These measures strongly align with the objectives and strategic framework outlined by the NIST Cybersecurity Framework.
Please do let us know in the comment section what are your thoughts about this.