Data for employees of French sports retailer Decathlon was found to be unsecured and exposed to the internet due to an improperly set up Amazon Web Services S3 bucket, as reported by cyber security firm VPN Mentor.
According to the report, the data for 7,883 employees of Decathlon was found online due to a survey from tech consultant Bluenove. Bluenove was contracted by Decathlon to help them bring their “Vision 2030” project online and install cloud services for the company.
The data breach includes name, usernames, email addresses, country/city of residence, photos and authentication tokens for employees of Decathlon. Decathlon has already released a statement that none of the employees personal banking or physical location data was at risk, and that they have taken measures to secure the data that was at risk.
VPN Mentor clarifies in the report that the data breach was not the fault of Decathlon, and was the result of an improperly configured Amazon Web Services S3 Bucket. AWS S3 Buckets are very popular for businesses with cloud services, but require manual security protocol input when the system is set up.
Bluenove did not configure the S3 Bucket properly at the time of installation, meaning that all data held within the database was freely available on the internet. VPN Mentor discovered the breach on March 9 2021 and notified vendors and AWS within the next week.
The data breach was patched as of April 12, 2021, with Decathlon having been contacted directly by VPN Mentor.
How much of the data belongs to employees of Decathlon versus customers of the store in currently unclear, but VPN Mentor estimates that as much as 10% of Decathlon’s workforce data was included in the breach.