SafetyDetectives, an online website of cybersecurity and privacy researchers, has released a new report that claims a Malaysian software company dealing with point-of-sale (POS) systems might have inadvertently exposed the data of over a million customers, and compromised the information of thousands of restaurants and businesses as well as their employees.
The Malaysian company in question is StoreHub. Based in Mutiara Damansara, StoreHub claims to be one of the region’s fastest growing company, with over 15,000 businesses across Southeast Asia using their services. One of their main products appears to be a POS system that they’ve ‘built for modern restaurants, cafes, quick-serve kiosks and retail stores’. They also have business management tools and analytics on offer.
According to SafetyDetectives, StoreHub had failed to configure one of their servers correctly. This has caused over 1.7 billion records and over a terabyte of data to leak out, potentially leaking the details of almost a million customers in Malaysia and perhaps other countries in the region too. The data leak in question appears to be from two main sources: data from customers of businesses using StoreHub, and data from the businesses using StoreHub themselves.
For the former, SafetyDetectives says that the data leaked contains personally identifiable information of customers such as their full names, phone numbers, physical addresses, email addresses and the type of device used. Some of the order details in the data leak also contained partially masked credit card information, along with other order information such as transaction dates, ordered items, store locations and more.
As for the latter, the data leak from businesses using StoreHub apparently contains employee names, check-in and check-out times of their employees, the store name and address as well as their email addresses. SafetyDetectives also added that they saw leaked access tokens which can be used by bad actors to login to the websites of businesses affected to cause more harm.
SafetyDetectives notes that while they discovered this data breach on the 12th of January this year, the server in question appears to have been exposed at least since late November of last year. They then contacted StoreHub, but did not receive a response. SafetyDetectives then tried contacting Amazon Web Services (AWS) and Malaysia Computer Emergency Response Team (MyCERT), who did respond. MyCERT had asked for more information on the 2nd of February, but by then the server had been secured again.
StoreHub though has since come out and denied allegations of a data leak. According to The Star, StoreHub was told by AWS about the issue on the 3rd of February, and they then rectified the issue on the same day. StoreHub also mentioned that following an internal investigation, no data was downloaded maliciously from the server when it was left exposed, and no sensitive financial data or passwords were kept in the vulnerable data.
[ UPDATED 2.10PM, 16/6/2022 ]: StoreHub has since reached out to us to provide a full statement regarding the issue which you can find below:
“In February 3, 2022, StoreHub was made aware of a user data vulnerability instance that had the potential to impact its users.
Upon being informed of the occurrence on an Amazon Web Services (AWS) Elasticsearch instance, StoreHub took immediate action to patch and rectify the vulnerability within 24 hours.
The decisive action helped ensure that no sensitive or private data were maliciously downloaded by any parties and the finding was confirmed through a thorough internal investigation of the incident. The investigation also revealed that no sensitive financial data or passwords were contained in the vulnerability.
As an extra precautionary measure, StoreHub ensured that no tokens within the dataset could be used to login into a merchant’s account. StoreHub understands the severity of the matter and the potential panic caused by this occurrence to our users.
We would like to reassure our users that we take the security of their data very seriously and as such, we will continually work to enhance our data security whilst addressing any and all possible concerns related to it.
Towards that end, StoreHub is working with an independent cybersecurity agency to verify and prevent future potential vulnerabilities. The team will continue to work diligently and closely with its internal teams and external experts to ensure the full and thorough protection of StoreHub’s user data while also providing a comprehensive and integrated technology driven services,” – StoreHub